From Vectors to Verdicts: Web App Testing with Vector Command

If it’s online, it’s a target Web applications are no longer just business enablers, they’re often the front door to an organization. They can often generate revenue, enforce identity, connect systems and hold customer and business data. “ 75% of successful Vector Command breaches were conducted through web apps. ” – Principal Security Consultant, Vector Command Team at Rapid7 From SaaS platforms and identity providers to customer portals and internal tools, attackers increasingly rely on web applications as their initial access point. In fact, application-driven attacks account for a significant percentage of real-world breaches. But testing web applications for real risk isn’t the same as scanning for bugs; that’s where Vector Command (Rapid7’s continuous managed red team service) comes in. Figure 1: Vector Command Advanced How Vector Command approaches web applications Vector Command evaluates web applications the same way real attackers do, by asking a single question: Can this application be used to meaningfully compromise the organization? Rather than attempting to enumerate every possible vulnerability, Vector Command focuses on exploitation paths that lead to real outcomes, such as: Account takeover Session hijacking Abuse of SaaS trust relationships Access to internal systems through vulnerabilities, such as malicious file uploads, injection issues, or misconfigurations in common web frameworks Lateral movement across applications Exfiltration of source code, if found during a breach Testing begins without authentication against externally facing applications, the external attack surface, or to put it another way, what a potential threat actor can see. If legitimate paths exist – self-registration, broken authentication and authorization controls, misconfigurations exposing unintended application functionality, or overall poor site hygiene leaking information that needs further research – those paths are pursued as part of a broader attack chain. The result isn’t a long list of low-risk findings, but rather a clear picture of what actually works. Figure 2: Sample Vector Command findings, by status What Vector Command does not do Vector Command is intentionally not a replacement for a full web application penetration test, although Rapid7 does offer this service. It does not: Guarantee full application coverage. Perform DAST or SAST scanning. Enumerate non-exploitable low-severity or theoretical vulnerabilities. Review source code unless it’s obtained during an attack. If your goal is to understand every potential flaw in an application, a dedicated web app penetration test is the right approach. However if your goal is to understand whether your sprawling stack of externally facing applications can be used to break into your organization, Vector Command is designed for that purpose. A real-world example: when the ticketing system becomes the attack path In one recent Vector Command engagement, attackers didn’t exploit a zero-day or compl