Skip to main content

Overview

Security testing should be integrated throughout the Software Development Life Cycle (SDLC). This guide covers the three main penetration testing approaches and various automated testing methodologies you’ll use to analyze the Normo Unsecure PWA.
Legal Notice: You MUST only perform penetration testing on applications you own or have explicit written permission to test. Unauthorized penetration testing is illegal and can result in criminal charges.

Types of Penetration Testing

White-Box Testing

Full access to source code, architecture, and documentation

Grey-Box Testing

Partial knowledge of the application internals

Black-Box Testing

No knowledge of internal structure - external testing only

White-Box Penetration Testing

Definition: Testing with complete knowledge of the application, including source code, architecture, and infrastructure. What you have access to:
  • Complete source code (main.py, user_management.py, templates)
  • Database schema and structure
  • Configuration files and dependencies
  • Application architecture and design documents
  • Real-time access to logs during testing
Testing approach:
1

Code Review

Manually examine source code for security vulnerabilities
Example: Reviewing user_management.py
# Line 20: SQL Injection vulnerability identified
cur.execute(f"SELECT * FROM users WHERE username = '{username}'")
# ❌ Using f-string allows SQL injection
# ✅ Should use parameterized query: cur.execute("SELECT * FROM users WHERE username = ?", (username,))
2

Static Analysis

Use automated SAST tools to scan code without executing it
Running SAST tools
# GitHub Security Scanning (if using GitHub)
# Enable: Settings → Security → Code scanning

# Bandit (Python security linter)
pip install bandit
bandit -r . -f json -o bandit-report.json

# Semgrep
semgrep --config=auto .
3

Configuration Review

Check configuration files for security issues
main.py:70-73 - Configuration Issues
app.config["TEMPLATES_AUTO_RELOAD"] = True  # ⚠️ Performance impact
app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0  # ⚠️ No caching
app.run(debug=True, host="0.0.0.0", port=5000)  # ⚠️ Multiple issues
4

Architecture Analysis

Review overall design for security anti-patterns:
  • No authentication middleware
  • No input validation layer
  • Direct database access from routes
  • No separation of concerns
Advantages:
  • Identifies vulnerabilities early in development
  • Can find complex logic flaws
  • Complete code coverage
  • Can verify security controls are implemented correctly
Disadvantages:
  • Requires programming knowledge
  • Time-intensive for large codebases
  • May miss runtime-only issues
  • Can’t test third-party dependencies without source

Grey-Box Penetration Testing

Definition: Testing with partial knowledge of the application, typically having some documentation or limited access. What you might have:
  • API documentation
  • Database schema (but not source code)
  • User role information
  • Network architecture diagrams
  • Some access to logs
Testing approach:
1

Understand the Attack Surface

Map out all entry points and functionality
Mapping the Normo PWA
Endpoints:
- POST /index.html (login)
- POST /signup.html (registration)
- POST /success.html (feedback)
- GET /?url= (redirect)

Database tables:
- users (username, password, dateOfBirth)
- feedback (feedback)
2

Test with Known Patterns

Use knowledge of common vulnerabilities in similar applications
SQL Injection Testing (knowing database exists)
# Try common SQL injection patterns
username: admin' OR '1'='1
password: admin' OR '1'='1

# Expected if vulnerable: Authentication bypass
# Expected if secure: Login failure
3

Combine Automated and Manual Testing

Use DAST tools with targeted manual testing
Dynamic Testing with ZAPROXY
# Start ZAPROXY
# Configure browser to use proxy
# Manually interact with the app while ZAPROXY records
# Run automated spider and scanner
# Review alerts and verify findings manually
Advantages:
  • More realistic than white-box (simulates insider threat)
  • Faster than pure black-box testing
  • Can prioritize testing based on known risks
  • Good balance of efficiency and thoroughness
Disadvantages:
  • May miss vulnerabilities in unknown areas
  • Requires some documentation to be effective
  • Can’t verify all security controls

Black-Box Penetration Testing

Definition: Testing with no knowledge of internal structure - simulating an external attacker. What you have access to:
  • Public-facing URLs (e.g., http://127.0.0.1:5000)
  • User-facing interface only
  • No source code or documentation
Testing approach:
1

Reconnaissance

Gather information about the target
Information Gathering
# Check HTTP headers
curl -I http://127.0.0.1:5000

# Technology identification
# Look for clues: error messages, default pages, cookies

# Directory enumeration (not applicable to student testing)
2

Vulnerability Scanning

Use automated tools to discover vulnerabilities
ZAPROXY Automated Scan
1. Open ZAPROXY
2. Automated Scan URL: http://127.0.0.1:5000
3. Enable all scan policies
4. Start scan
5. Review alerts (SQL Injection, XSS, CSRF, etc.)
3

Manual Exploitation

Test discovered vulnerabilities manually
XSS Testing in Feedback Form
// Test payload
<script>alert('XSS')</script>

// If successful, script executes when viewing feedback
// Try advanced payloads:
<img src=x onerror=alert(document.cookie)>
<svg onload=alert(1)>
4

Brute Force Testing

Attempt credential attacks and input fuzzing
Common Username Testing
# Try default credentials
admin:admin
admin:password
root:root

# Use common username/password lists
# https://github.com/danielmiessler/SecLists
Advantages:
  • Simulates real-world external attacker
  • No bias from knowing the code
  • Tests the actual deployed application
  • Can discover configuration and deployment issues
Disadvantages:
  • Time-consuming to discover all functionality
  • May miss complex vulnerabilities
  • Limited code coverage
  • Cannot verify security controls were implemented

Automated Testing Methodologies

Static Application Security Testing (SAST)

What it is: Automated analysis of source code without executing it (white-box approach).
SAST tools parse and analyze source code to identify:
  • SQL injection patterns
  • XSS vulnerabilities
  • Hardcoded credentials
  • Insecure cryptographic usage
  • Path traversal vulnerabilities
  • Command injection
  • Unsafe deserialization
Process:
  1. Tool parses source code into abstract syntax tree (AST)
  2. Analyzes data flow and control flow
  3. Matches patterns against vulnerability signatures
  4. Reports findings with severity and location
Advantages:
  • Can be run early in development
  • 100% code coverage
  • Fast and automatable
  • No need for running application
Disadvantages:
  • High false positive rate
  • Cannot detect business logic flaws
  • Cannot find runtime-only issues
  • Requires access to source code

Dynamic Application Security Testing (DAST)

What it is: Automated testing of a running application without access to source code (black-box approach).
DAST tools interact with the application like a user would:
  1. Spider/Crawl: Discover all pages and functionality
  2. Attack: Send malicious payloads to inputs
  3. Observe: Analyze responses for vulnerability indicators
  4. Report: Document confirmed vulnerabilities
Detection methods:
  • Response analysis (error messages, stack traces)
  • Timing analysis (SQL injection, timing attacks)
  • Pattern matching (XSS reflected in response)
  • State changes (authentication bypass)
Advantages:
  • Tests actual running application
  • Low false positive rate
  • Discovers runtime and configuration issues
  • No source code required
Disadvantages:
  • Requires deployed application
  • Limited code coverage
  • Cannot test all code paths
  • Runs late in SDLC

Comparing SAST and DAST

AspectSASTDAST
Testing typeWhite-boxBlack-box
When to runDuring developmentAfter deployment
Code coverage100%Limited to discovered paths
False positivesHighLow
FindsCode-level issuesRuntime issues
SpeedFastSlower
SetupNeeds source accessNeeds running app
Best forSQL injection, hardcoded secretsConfiguration, authentication bypass
Best practice: Use both SAST and DAST together for comprehensive coverage. SAST catches issues during development, DAST verifies they’re exploitable in the running app.

Code Review Checklist

When performing manual white-box testing, use this checklist:
  • Is sensitive data stored that is not required?
  • Are passwords encrypted before storage?
  • Is sensitive data logged in error messages?
  • Can users download and delete their data?
  • Is there a privacy policy?
  • Who has access to log files?
  • Are users authenticated or treated as anonymous?
  • What authentication factors are used?
  • Are there password complexity requirements?
  • Is there a password age policy?
  • Are failed login attempts tracked?
  • Is there account lockout after failed attempts?
  • Are there different user roles?
  • Is authorization checked on each request?
  • Are sensitive files protected from unauthorized access?
  • Can users access other users’ data?
  • Is user-submitted data validated?
  • When is data validated (on input or use)?
  • What validation method is used (whitelist/blacklist/regex)?
  • Are parameterized queries used for database access?
  • Is output encoded to prevent XSS?
  • What error handling approach is used?
  • What error details are shown to users?
  • Are errors logged with enough detail?
  • Are database errors handled securely?
  • Is debug mode disabled in production?
  • How is session state managed?
  • How is session ID generated?
  • Are previous sessions invalidated on login?
  • Are tokens used? What algorithm?
  • Are there session timeouts?
  • Is there a logout function?
  • Is logging implemented?
  • Where are logs stored?
  • Is unvalidated input logged?
  • Are log messages timestamped?
  • Is sensitive data written to logs?
  • Are encryption algorithms used (SSL/TLS/RSA)?
  • Are passwords hashed with salt?
  • Where are crypto libraries from and what version?
  • Is HTTPS enforced for all communication?

Practical Testing Examples

Testing for SQL Injection

# Review user_management.py:20
cur.execute(f"SELECT * FROM users WHERE username = '{username}'")
# ❌ Vulnerable: f-string allows injection
# Proof: username = "' OR '1'='1" bypasses authentication

Testing for XSS

# Review user_management.py:56-59
f.write(f"{row[1]}\n")  # ❌ No HTML escaping
# Vulnerable: Any <script> tag in feedback will execute

Tools and Resources

Penetration Testing Tools

ZAPROXY

Free, open-source web application security scanner

Burp Suite

Industry-standard web security testing platform

Wireshark

Network protocol analyzer for traffic inspection

CyberChef

Web app for encoding, decoding, and analyzing data

Test Payload Resources

Network and Infrastructure Tools

Testing Workflow for Normo PWA

1

Phase 1: White-Box Code Review

  • Clone the repository
  • Read all source files (main.py, user_management.py, templates)
  • Document vulnerabilities found in code
  • Run SAST tools (Bandit, Semgrep)
  • Create a vulnerability inventory
2

Phase 2: Deploy in Sandbox

  • Set up isolated testing environment
  • Deploy application: python main.py
  • Verify app is running: http://127.0.0.1:5000
  • Never deploy to production!
3

Phase 3: Grey-Box Testing

  • Use knowledge from code review to target specific vulnerabilities
  • Test SQL injection with crafted payloads
  • Test XSS in feedback form
  • Test CSRF attacks
  • Test open redirects
  • Monitor logs during testing
4

Phase 4: Black-Box DAST

  • Run ZAPROXY automated scan
  • Review all alerts
  • Manually verify findings
  • Test for additional vulnerabilities not found by scanner
5

Phase 5: Document and Report

  • Catalog all vulnerabilities found
  • Assess impact and severity
  • Provide proof-of-concept exploits
  • Recommend remediation steps
  • Include code examples of fixes

Next Steps

Explore Vulnerabilities

Detailed documentation of each vulnerability

Mitigation Guides

Learn how to fix discovered vulnerabilities

Architecture Review

Understand the application structure

Secure Coding

Best practices for secure development

Build docs developers (and LLMs) love

Get started for freeTalk to us