Skip to main content

Web Application Backend Testing

Using the information collected so far, you should have a pretty good idea of what kind of environment the backend web server is running, and the URL’s that are used to access it. A full web application penetration test should be performed against the backend environment.

Certificate Pinning

The first obstacle that is typically faced when performing a backend web test is certificate pinning. SSL Certificate Pinning is the process of configuring a mobile app to only connect to the host of the public key included with the app and rejecting all others!

This becomes an issue when we attempt to proxy the HTTP traffic through a tool such as Burp Suite. Since the first certificate in the connection will be made to Burp Suite, the app will compare that to the stored public key which will obviously fail since they will not match.

On a rooted device, certificate pinning is easy to bypass. There are several options available to seamlessly bypass this check. However, this process consists of “hooking” into the running process and modifying the pinning responses on the fly. Anytime the process has been hooked, there is always an increased chance of causing issues or undesired behavior.

Automated Scanners

The use of automated scanners is somewhat complex when dealing with mobile applications. The biggest issue is getting the mobile device on to the same network as the scanner VM’s. In many cases, the mobile app simply offers a way to connect and use the existing web app. However, when performing a mobile app test, ensure you are only testing the web-based components that are available to the mobile app.

The best solution is to use a scanner that is on your laptop, such as the Burp Suite Pro automated scanner. This way you can interact with the scanner, and focus on the functionality is truly part of the mobile app.  

Testing Guide - Web App Checks

If you have access to test the back-end web servers, then you should perform as much testing against the back-end application.

User Enumeration

User enumeration is when an attacker tries to either guess or confirm valid users in a system. While it is often considered a web application vulnerability, it can also be found in any system that requires user authentication. Two of the most common areas where user enumeration occurs are in a site's login page and its ‘Forgot Password' functionality. Typically, an attacker is looking for differences in the server's response based on the credentials that were tried.

For mobile apps, user enumeration can occur in the web back-end or locally on the device if Local Authentication is in use. In these cases, the user information would be stored on the device somewhere.

Mobile App Caveats

In addition to the web checks, ensure the following are checked for as they relate to the mobile app.

  • Focus should also be made for a full evaluation of the authentication & authorization facility as it relates to the mobile app.

  • Session and Authentication almost always included:

    • Authentication Key Points
      • Check if authentication is occurring server-side
      • Attempt client-side bypass if authentication occurs on the device
      • See if client-side storage of data is being used (such as credentials)
      • Check the app for a “Remember Me” function and if it stores the credentials on the device
      • Check for persistent authentication
      • Access portions of the mobile app or web service that we are not authorized to view (such as admin functionality), if available
    • Session Key Points
      • Is the session properly invalidated when no longer required?
      • Timeout periods implemented according to the sensitivity of the data
      • Insecure passing of tokens
      • Privilege escalation
      • Can the session be captured via network traffic or binary examination?