Ready to Start Your Career?

Cloud-Based Application Penetration Testing

Hari Charan's profile image

By: Hari Charan

December 6, 2016


Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more. But most of the organizations are in a notion that security is a service providers job. Yea, I do agree but at the same time, we are also responsible for ensuring the security of the application which we put on the cloud. Conducting Penetration Testing on your own application on Cloud should be done meticulously.

cloudeverywhereThere is a process to start with and there are many factors to consider before performing penetration testing on a cloud network. Before that, you need to know cloud service models, such as:Software as a Service (SaaS)Infrastructure as a Service (IaaS)Platform as a Service (PaaS)

SaaS (Software as a service)In this service, clients would be provided access to application services which are already installed on the server. Since it’s already built, the client doesn't need to worry about installations, coding, patches. Clients can access the software with their browsers. To avail, this client doesn't even need to download or install anything. Each and everything would be provided by the cloud service providers. The only thing that client need to do, pay for the usage. For example Hotmail, Gmail is considered as SaaS. You do not own the applications but you’re using the services which are provided by Google or so.

IaaS (Infrastructure as a service)In this service, clients would be provided with the infrastructure required like VMs, WAF, Load balancers, VLANs. It’s more like a building your own software infrastructure with resources provided by the Cloud service providers. This is helpful in cost reduction, maintenance. Clients only need to pay for the resources they avail. IaaS clients have more control over their infrastructure than clients of PaaS or SaaS services. But this requires a lot of technical knowledge. There are many IaaS providers, Amazon Web Services, Microsoft Azure, Rackspace are most popular.

PaaS (Platform as a service)In this service, the client would be provided with a platform on which software can be developed and deployed with ease. Platforms include operating systems, preinstalled database, web server, hardware and network infrastructure are taken care of service providers, so clients just need to think about business and development. So most of the organizations prefer PaaS to avoid investing in hardware resources. Clients only need to pay for the platform and resources that have been picked. Again Microsoft Azure services are most popular and widely used.


I hope now you have a good understanding of SaaSPaaS, and IaaS models. Apart from these models, you need to know what is Public, Private cloud hosting. I’ll just make it simple for you. Just make a note of it, here security comes into the picture.Public cloud hosting, here service providers use the internet to make resources available to the public but you need to pay for the usage. These are inexpensive since hardware, bandwidth costs are covered by the provider itself. The biggest disadvantage is that your server is in a different country which is governed by different security policies. Let’s see Private cloud hosting, here service providers assure the security of your resources, web server which could be under firewall protection. Compared to the public cloud, private cloud more secured but it’s expensive.

You may wonder, the title of this article is misleading. Why do you need to know all these penetration testing of your own application? You may end up somewhere if you just Pen-test your cloud-based application without any approval of cloud service providers. Moreover, they would consider this as Hacking. Since when you’re testing, you may send too many requests to the server which could be considered as Denial of service attack. That’s the reason you need an acknowledgment from service providers to initiate pen testing.

To test the applications in IaaS/PaaS models, you should know what are the other applications and technology running in your own cloud and also you need to get an access to all your servers & hosts including databases to perform internal penetration testing(when you’re in the network). Then you can start with authenticated scanning, testing authentication etc… The main reason behind this testing would be, you need to know what an intruder can do when he’s already inside the network. That’s how you can analyze how secure you’re. You can not perform external(outside the network) penetration testing unless you get an approval from providers. Even though it’s not effective since many service providers use FirewallsWAFHoneypots, IDS, IPS to prevent scanning, Denial of service and other attacks.

In general, cloud service providers assure the security of a network, infrastructure but not the security of your application. So we can Pen-test our applications to find the client-side vulnerabilities. You may cover OWASP top 10 web vulnerabilities. Before that, there are a few cornerstones which need to be considered.

Design a Penetration Testing PlanYou should have an SLA (Service level agreement). This will vary from model to model again. That’s the reason we need to the different types of service models as mentioned above. Define what is in scope. What are the applications and which databases would be involved in this testing? If you’re availing IaaS or PaaS models, you may need to audit the architecture design, patch management documents, and policies. How the features would be tested. What are tools to employ and adopt methodologies to perform penetration testing? It’s our responsibility to state who is responsible for what through this SLA.

Read policies & get an approval for pen testing from the service provider I can offer you hints with two examples from Microsoft Azure, AWS. Both providers have their own policies. You need to send a request from their portal mentioning the tools you been using, features to be tested etc.reference:Microsoft Azure: need to make sure to work with your service provider for recommendations when you perform pen testing. Most will have a process to follow that will yield the best results from your effort.

Tools to employWe must choose right tools for testing. You need to mention the automated tools which you’ve employed for testing such as Burpsuite, ZAP etc..You need to have a clear picture and should be documented, how you gonna start testing and what are the commands you’ve issued while testing. Taking screenshots is a best practice even for reporting and for your documentation. You should never use tools which simulate an actual attack such as DOS. There are few standard tests that you can perform such as Open Web Application Security Project (OWASP) top 10 vulnerabilities mainly SQL injections. Fuzz testing of your endpoints. Port scanning of your endpoints.

ReportingOnce you’re done with testing, you need to document all your findings with screenshots and how you’ve encountered. A technical report should describe in detail the scope, information, attack path, impact and suggestions of the test which helps your dev team to fix the vulnerabilities; whereas the executive summary should state risk ranking. Here’s what I think about reporting. Anyway, it varies from org to org.


Analysts should think about the mentioned points and comply with providers policies before getting into trouble. I repeat again, we need to raise a request to cloud service providers for penetration testing the apps hosted on the cloud such as Azure, and AWS.



Schedule Demo