Web Application Penetration Test

A web application may refer to either a presentation website or a complex information system. We can handle both and will tailor the test to your specific needs.

Benefits

Web applications are often developed to meet the exact needs of their operator. This uniqueness also brings unique security weaknesses that may appear in the application. Because of this, web applications are among the most common, and often the easiest, targets for attackers.

Web applications available from the internet are constantly exposed to automated scans that try to exploit potential vulnerabilities.

Some issues can be found using automated tools, but certain types of vulnerabilities, such as application logic flaws, require a human touch. That’s why we always combine advanced automated tools (including commercial ones) with thorough manual testing.

Testing Process

Testing can be done from the point of view of an anonymous user (black box), an authenticated user (grey box), or with extensive knowledge of the environment, for example including access to backend source code (white box). The more information the tester has, the more accurate and useful the results may be. In practice, grey box testing is the most common.

Depending on the size of the application, tests may last from several days to several weeks.

Our testing process is based on the OWASP WSTG (OWASP Web Security Testing Guide). We also take into account the list of common vulnerabilities from the OWASP Top 10, draw inspiration from the checklists provided in the OWASP ASVS and share experience from many previous projects across our testing team.

Our tests always cover all areas defined by OWASP WSTG, including:

• Information Gathering
• Configuration and Deployment Management Testing
• Identity Management Testing
• Authentication Testing
• Authorization Testing
• Session Management Testing
• Input Validation Testing
• Testing for Error Handling
• Testing for weak Cryptography
• Business Logic Testing
• Client-side Testing

Other types of testing

Many modern web applications rely on APIs. If there’s no web frontend, we also offer tests of standalone APIs. We can also test mobile and desktop applications.

A more detailed analysis of the source code of a web application can be performed as part of a code review.

We also offer a wide range of other penetration testing services, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.