The overwhelming part of today's applications is based on web technologies, not only classic websites on the World Wide Web, but also applications in cloud environments, virtualization, on larger IoTs such as SmartTVs, but also on smartphones and PCs.
Familiar examples of this might include the Twitch app, Spotify, WhatsApp, Microsoft Teams, and Visual Studio Code. In order to be protected from dangers resulting from this circumstance, a website penetration test or a web application penetration test is recommended.
Like so many designations, “website penetration test” and “Web Application Penetration Testing' often used interchangeably. However, both describe a slightly different test approach.
However, one has to admit that the boundaries begin to blur as the depth of testing increases. We want to know whether a website penetration test or a web application penetration test is more suitable for your specific case per sec make clear below.
In practice, a web application penetration test (keyword OWASP WSTG – Web Security Testing Guide as a frequently used test methodology) often takes place in two forms.
In the first case, the web application itself is tested. Unhindered by restrictions and protective measures by the infrastructure provided, vulnerabilities can be found in the application that might otherwise be fully or partially intercepted by the infrastructure measures taken or cannot be exploited immediately. However, this would always pose a danger from attackers who have the appropriate level, motivation and, above all, time. For this reason, a time-limited test is usually not sufficient. This process is therefore useful for applications that are still under development or when a development environment is in place.
The second case also includes the infrastructure and its protective measures and often occurs when the application is already in productive use and no development environment is available.
This is where the slow blurring of the boundaries between web application penetration and website penetration begins.
The website penetration test focuses more on the infrastructure. Such a test is also often used in this context if the application is not large or complex enough to justify a web application penetration test according to the OWASP Web Security Testing Guide.
In such a website penetration test, the servers that provide the application as they were or would be set up for the productive environment are primarily checked vulnerability checked. However, this does not mean that the OWASP Web Security Testing Guide is not used in website penetration testing, but only to a lesser extent and less depth.
Classic websites, one-server applications and most applications based on content management systems such as WordPress, Magento and Typo3 can be found here.
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.