So often these days what is presented as a “Web Application” is in fact a CMS (content management system) which has been customized to a greater or lesser extent. As so often, I sometimes feel that we take the wrong approach to this type of site. Where it is important to be clear, is what level of customization has occurred, and at what point the backend code transitions into custom development. For example, testing the basic functionality of WordPress or Drupal or Umbraco as though you were doing a from scratch black box application test is a recipe for wasting the majority of your time, because things like cross-site scripting protection have been tested to bits already. I’m not saying that there are not security vulnerabilities in these products, or that these can’t be found given sufficient effort, just that this type of vulnerability is not likely to be discovered in the context of a three day ‘test lite including reporting’.
So in these cases I think what makes more sense is to have an up front discussion with the customer’s developer on what customization has been done, and then focus the black box type efforts around the changed code (I’ve found XSS on more than one occasion where developers have actually disabled the safeguards built into the product). Then for the rest of the site, get credentials, and carry out an actual configuration review of the way the system is set up.
To give an example of this, I used to test quite a lot of SharePoint sites, and whilst I never found an actual vulnerability of the stored XSS type in Microsoft’s code (my former partner did once), I found plenty of configuration issues, including one where all the confidential data belonging to individual customers was actually available to anyone who knew the URL to go to. Often with products like WordPress there is more value in checking some basic things like versions of the product and installed plugins than there is in attempting to retest the entire input validation scheme from scratch. This is also an area where knowing specific facts about the CMS in use is extremely useful, as is downloading and installing the code and taking a look for default files – luckily most of these systems are freely available (if not in fact actually open source).