Web Application Penetration Testing
Benefits of a web application penetration test
- External infrastructure is security tested against the underlying servers
Infrastructure level vulnerabilities will be identified such as weaknesses in web server patching and configuration.
- Ensure strong user segregation
Users should only access their own data. We identify opportunities to manipulate the application to circumvent authorization.
- Follow web application security best practices
The security test is a great opportunity to get to understand how your developers code and could introduce vulnerabilities in future applications or those that have been in production.
- Upgrade and patch application software and libraries
Out-of-date and deprecated third-party software and libraries will be analyzed. These are sometimes neglected or there are various versions of the same software that isused on the application that could be detrimental.
- Business Logic testing
Logic testing identifies the ways that attackers could defraud you. E-commerce websites have been known to allow users to purchase items for less than their advertised price or even credit accounts.
Our approach to web application penetration testing
Our penetration testers follow a comprehensive 280 point check (and growing) covering the OWASP Top 10 in detail as well as the latest exploit techniques, such tests include:
- The latest injection vulnerabilities
- Broken authentication
- Sensitive data exposure
- XML External Entities (XXE)
- Broken access control
- Security misconfigurations
- Cross-SiteScripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging & monitoring
- Defacing the website
- Sensitive data exposure
- Gain additional system information
Unauthenticated perspective penetration testing
Security testing from an unauthenticated perspective will be used to identify vulnerabilities that could be exploited by users who are not authorised to access the application to potentially access sensitive information.
Authenticated perspective penetration testing
Security testing will also take place from the perspective of registered users. Authenticated users have access to more of the application with more functionality. The attack surface is increased and there is a greater potential to gain unauthorised access to personal data and backend systems.
Frequently asked questions
How safe is my application while you're testing?
Your application and data will be safe. We would prefer to test using test accounts that can be destroyed after we’ve finished testing.
Can you test using different user privilege levels?
We would recommend that all user levels are tested depending on the size of the user base and the potential damage that could be caused.
Do I need to have a staging environment for testing?
We can test on your production environment for a realistic assessment or test on your staging environment to remove the potential for any disruption. Vulnerabilities discovered in staging can then be retested on the production application.
Is my customer data secure when you are testing?
This depends on the environment that we’re testing. If we are testing an application in production then there could be a risk to the data, but we don’t aim to affect any live information.