Web Application Penetration Testing

A Web Application Penetration Test focuses only on evaluating the security of a web application.

The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

This section of the web application test is a penetration test of public facing content of the application, up to and including a login page if one is present.  This test performs the following checks:

• Web application scanning to identify public content (scope);
• Check Web Server hardening:
• default configurations;
• directory browsing;
• inappropriate HTTP methods exposed;
• WebDAV, FrontPage and other potentially dangerous services;
• port scan to determine services;
• brute force directory guessing of sensitive files;
• Attempt to identify 'hidden' functionality;
• Check all input parameters for proper input validation & sanitisation;
• Check Search & File Uploads for DoS and other vulnerabilities;
• SQL Injection vulnerability checks;
• Cross Site Script vulnerability checks;
• Check for redundant files;
• Information Disclosure: Default Technical Errors;
• Information Disclosure: Source code disclosure and configuration files;
• Attempt to exploit navigation to access restricted content;
• Check login page to determine if form jumping or other exploits are possible;
• Parameter Tampering in order to access restricted data;
• Application architecture analysis to identify unknown threats;

If the web application has user roles then the remaining test components are performed in an authenticated state and extend to the privileged content of the application. The following tests against Business Logic and authenticated/privileged functionality are also included. Typically, two credentials are requested for each privilege level (role) within the application as this allows effective testing of the following key areas:

• Cross Site Request Forgery (XSRF);
• Privilege Escalation (roles and role isolation);
• Form Jumping;
• Security Administration;
• Password Policy analysis;
• Third party interfaces if present;
• Appropriate use of encryption;
• Session management.

Security Methodology

To ensure that we conduct thorough, consistent security testing our methodology conforms and extends the following security guidelines and methodologies:

OSSTMM - The Open Source Security Testing Methodology Manual

OWASP - The Open Web Application Security Project

NSA - The US National Security Agency Guidelines

NSAC - The MI5 National Security Advice Centre Guidelines

Our penetration testing methodology brings together the best features of penetration testing and vulnerability assessment.  We follow the comprehensive OSSTMM methodology to ensure testing covers all avenues of possible attack.  However, unlike other organisations, we act like a real, professional hacking team; leveraging vulnerabilities discovered in one system to attack another – in a recursive and adaptive manner. Throughout the test, this process continues whilst we dynamically adapt our tools and techniques, generating powerful combined and tailored attacks just like those used by professional hacking teams.

Web applications are increasingly becoming the target of organized hacking teams.

Security of these applications is of paramount importance to your customers, and you as a business; a breach will not only undermine customer confidence, it will bring with it a damaged reputation and financial loss.

Compliance Standards

Requirement 11 Regularly test security systems and processes

12.1.3 Includes a review at least once a year 

2.4 Compliance Checking

2.18 Vulnerability Scanning