Web Application Penetration Testing Playbook

December 16, 20234 min read

Playbook Objectives:

  • To identify and exploit vulnerabilities in a web application belonging to a hypothetical company.
  • To improve the defensive strategies and response protocols of the security team.
  • To raise awareness about the importance of securing web applications against cyber threats.
  • To define clear and actionable remediation steps to prevent real-world exploits of similar nature.

Difficulty Level:

  • Advanced


  • Company Name: DataSecure Insurance, Inc.
  • Business Type: Insurance and Financial Services
  • Assets Involved:
    • Corporate Website: Customer portal for insurance services (datasecure-insurance.com)
    • Internal Employee Portal: Used for managing policies and customer data
    • Network Infrastructure:
      • On-premises data center hosting web servers, application servers, and databases
      • Use of third-party cloud services hosted on AWS for some insurance quoting functions
  • Employee Persona: John Doe, Senior IT Security Analyst at DataSecure Insurance, Inc.
  • Attack Story:
    • John Doe has been noticing an increase in targeted phishing campaigns against DataSecure’s employees, raising concerns that an adversary might be profiling the company for weaknesses.
    • DataSecure launches a new customer-facing web application designed to streamline policy management, attracting attention from both new customers and potential threat actors.
    • There has been an uptick in publicized breaches within the financial sector, putting pressure on DataSecure to ensure the robustness of their cybersecurity defenses.
    • The company board mandates a comprehensive Cyber Range exercise to test and improve the security of their web application infrastructure.


  • Web Application Security
  • Penetration Testing

Exercise Attack Steps:

  1. Reconnaissance:
    • Use tools such as Nmap, OWASP Amass, or Shodan to gather information about DataSecure’s public-facing web infrastructure.
    • Enumerate subdomains, IP ranges, and identify potential entry points for the attack.
  2. Vulnerability Scanning:
    • Conduct an automated scan using tools like OWASP ZAP or Nessus to detect common vulnerabilities (SQL injection, cross-site scripting, etc.) in the web app.
    • Analyze the results to prioritize potential exploit vectors.
  3. Exploitation:
    • Attempt to exploit discovered vulnerabilities using manual methods or tools such as SQLmap, Metasploit, etc.
    • Document successful exploitation techniques and capture proof of concept for each vulnerability.
  4. Post-Exploitation:
    • Explore the file system, escalate privileges if possible, and assess the potential for data exfiltration.
    • Mimic an attacker’s actions post-compromise to identify what data could be accessed or stolen.
  5. Privilege Escalation:
    • Perform tasks to escalate privileges on the webserver or the surrounding infrastructure—check for misconfigured permissions or vulnerable service configurations.
  6. Data Exfiltration:
    • Demonstrate the potential for sensitive data theft by securely copying data without exposing actual customer information.
  7. Maintaining Access:
    • Illustrate ways an attacker could maintain persistence on the compromised system using web shells or malicious service installations.
  8. Covering Tracks:
    • Detail methods used to clear logs and evade detection that would simulate an attacker’s steps to remain unnoticed.
  9. Incident Response:
    • Implement an incident response scenario requiring John Doe and his team to identify, contain, and eradicate the simulated breach.
  10. Reporting and Remediation:
    • Compile a detailed report outlining the weaknesses found, the methods used to exploit them, and offer guidance on strengthening the company’s web application defense measures.
    • Follow up with a meeting between the IT security team and the company board to discuss strategic changes to the security posture that accommodate the Cyber Range exercise findings.
  11. Lessons Learned:
    • Assess the effectiveness of the exercise and provide feedback on the incident response actions.
    • Arrange for a training workshop based on the exercise to cover identified security gaps and enhance the security team’s skills.
By running this lab exercise, DataSecure Insurance will significantly boost its ability to defend against real cyber threats targeting its web applications and will foster a culture of continuous improvement in cybersecurity practices.