12 Methods to perform Web Application Penetration Testing Based on OWASP.org

A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.


Before we start to talking about 12 steps that we can perform, first we should know little bit about:

What is a Vulnerability?
A vulnerability is a flaw or weakness in a system’s design, implementation, operation or management that could be exploited to compromise the system’s security objectives.

What is a Threat?
A threat is anything (a malicious external attacker, an internal user, a system instability, etc) that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability.

What is a Test?
A test is an action to demonstrate that an application meets the security requirements of its stakeholders.

The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology:

4.1 Introduction and Objectives

4.2 Information Gathering

4.3 Configuration and Deployment Management Testing

4.4 Identity Management Testing

4.5 Authentication Testing

4.6 Authorization Testing

4.7 Session Management Testing

4.8 Input Validation Testing

4.9 Error Handling

4.10 Cryptography

4.11 Business Logic Testing

4.12 Client Side Testing

Too much issue about web penetration testing should teach us as a programmer about how to build secure systems.