How to Prepare for Your Web Application Penetration Test

So, you’re investing in cybersecurity and are having a web application penetration test performed. No matter your reasons for doing so—whether you’re satisfying compliance requirements, a customer request, internally assessing your flagship service offering or confirming security policies—this is a great step towards strengthening your defenses.

But now that you’ve decided to move forward, it’s time to dig in and prepare. If you’re not sure where to start or what’s involved, don’t worry. Our very experienced team of penetration testers has performed over 200 assessments in just the last year, those specific to web applications among them. In this article, we’ll reiterate what a web application penetration test is, its objectives, and the information you’ll gain after performing one. We’ll also provide a list of items to prepare for your chosen penetration testers ahead of your assessment.

That way, you’ll be able to streamline your process more easily and reach the end—and the results regarding your vulnerabilities—that much quicker.

What Is a Web Application Penetration Test?


The simulation of an attack on either an external or internal web application in an attempt to gain access to sensitive data and determine whether the application is secure.


To identify and exploit vulnerabilities within the application and its components (e.g., source code, database, back-end network) that apply to OWASP Flagship Projects, such as the OWASP Top 10, Application Security Verification Standard (ASVS), and Web Security Testing Guide (WSTG).

How Does It Work?

After performing reconnaissance and identifying flaws in authentication, access controls, database interaction, and application logic, among others, your Pen Test Team will attempt to exploit these vulnerabilities.

**If you’re working with Schellman, our team will also seek to concentrate different vulnerabilities together to chain together more complex and higher severity attacks.

What You’ll Learn

After this essential health check of your web application, you’ll understand:

  • How possible it is for a hacker to access your data from the internet
  • How secure your email servers, web hosting sites, and servers are
  • Whether you need remediation or to implement further security measures.

An Important Note for Organizations Working with Schellman: We do not perform Distributed Denial of Service (DDoS) attacks to test the availability of a service. While we may discover vulnerabilities that result in likely Denial of Service (DoS) conditions, typically these are verified as much as possible but will not be exploited. Only manually verified findings will be included in our final report, and there will be no false positives.

5 Things to Provide for a Web Application Penetration Test

To facilitate all this, your Pen Test Team will need several things before they can get started with their attempted breach of your web application. Here’s a list of items you’ll need to prepare to either provide or do to ensure smooth sailing through the process:

  1. Two Tenants Within the Application
    Consider this like onboarding two new customers—you’d most likely provide them each their own environment (or tenant) within your application.
    • Why Does Your Pen Test Team Need This? Having access to two test tenants allows us to test for horizontal privilege escalation, which basically means checking to see if customer 1 can somehow get to customer 2’s data when that shouldn’t be possible.
  2. Credentials
    Within each tenant, you’ll also need to provide credentials for both an administrator (or higher-privileged role) and a standard user (or lower-privileged role). At Schellman, we start testing with the highest and lowest level you would provide a client, and—if there are other different privilege roles available—we’ll add more users throughout the process.
    • Why Does Your Pen Test Team Need This? We perform every web application assessment from an authenticated posture. Having two users with different roles allows us to test for vertical privilege escalation methods, which is to say, can a non-admin user access data or features only an admin should be able to use or see?
  3. Lower External Application Security Controls.
    You’ll need to allow traffic through any technical security controls that could impact testing, including any web application firewall (WAF) in place.
    • Why Does Your Pen Test Team Need This? Penetration tests are performed within a designated window, which means the Pen Test Team only has a limited amount of time to get through the work. That time would be better spent identifying as many vulnerabilities as possible so that you gain the most value, and allowing us to more quickly interact directly with the application helps with that. Lowing the WAF will help us—and you—best understand and fix the real issues.
  4. Perform an Application Demo
    This should only take a 30-minute call to go over the main features or use of the application with your Pen Test Team. This call will be recorded and referenced when the actual test begins.
    • Why Does Your Pen Test Team Need This? To efficiently attack the application, we first must understand how it is meant to be used. Understanding your specific business risk is a vital part of all our assessments.
  5. Sample Data
    Populate the application with as much user data as possible. If you’re not sure where to start with this, you might consider leveraging data from a demo environment that you usually use to demonstrate your application to a customer.
    • Why Does Your Pen Test Team Need This? An application prepopulated with sample data allows us to hit the ground running with a better understanding of how important features are used. We’ll still go through the process of creating our own test data, but your provided sample data lets us spend more time focusing on identifying vulnerabilities.

Other Tips for Your Web Application Penetration Test

In addition to these steps and information provided, you should also tell your security operation center (SOC) or internal Blue Team that a web application pen test is scheduled and provide them with any public IP address ranges to be used by the Pen Test Team. (Schellman specifies these in our authorization letter.) They’re not trying to be stealthy or stay undetected—your Pen Test Team is only concerned with highlighting as many manually verified issues and providing actionable feedback within the limited timeframe available.

Taking all these steps should help you make the most of said limited time frame, as will taking some of these. If you’re also considering other penetration tests to evaluate your cybersecurity, check out our other content that will break down some key aspects:

If you find you still have any pressing concerns or questions regarding the intricacies of penetration testing—or if you’re interested in engaging the Schellman team to perform one—contact us today.

About the Author

Josh Tomkiel

Josh Tomkiel is a Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.

More Content by Josh Tomkiel
Previous Flipbook
Schellman’s CSET Ransomware Guide
Schellman’s CSET Ransomware Guide

Next Flipbook
Introducing Schellman SPIRRIT
Introducing Schellman SPIRRIT

Schellman SPIRRIT seeks to enable small or underserved businesses better prepare for disruptive cyber incid...

Now Providing C5 Examinations

Learn about C5