Web App Penetration Testing

While network penetration testing is an essential part of an effective IT security management, it cannot detect vulnerabilities existing within your custom web applications which are developed by either your own or third-party web developers. Those web applications, if not securely developed and tested, could be the doorway for hackers to get into your computer systems. As such, it is important to pentest those web applications thoroughly before putting them in a production environment. It is well-known within the information security community that there are specific vulnerabilities that could exist in any insecurely designed web application; the following is a list of the most common web application vulnerabilities:

  • Cross Site Scripting (XSS)
  • SQL Injection
  • Malicious code injection
  • Lack of input validation
  • Improper authentication schemes
  • Session hijacking
  • Invalid client-server transactions
  • CGI vulnerabilities
  • Cookie theft
  • Privacy exposure
  • Logical flaws

Our information security professionals can attempt to penetrate your web application using automated and manual processes. They are able to find vulnerabilities that may reveal sensitive data, escalate access privilege, or cause denial of service (DoS). Our web application pentest follows a standard methodology – such as the Open Web Application Security Project (OWASP) – and typically involves the following steps:

  • Information gathering
  • Assessing configuration and deployment management
  • Assessing identity management
  • Assessing the authentication schemes
  • Assessing the authorization schemes
  • Assessing session management
  • Testing input validation
  • Testing error handling
  • Testing encryption schemes
  • Testing the business logic
  • Client-side assessment

The final step is to deliver a comprehensive report with an executive non-technical section that highlights the general security posture along with the most serious actions to take. The report also includes a detailed technical descriptions of all the steps undertaken in the test, all the discovered vulnerabilities and weaknesses, recommendations on how to remediate those vulnerabilities and how mitigate any risk.