WEB APPLICATION PEN TEST
Verify Your Security With a Penetration Test
OVERVIEW
What Is Web Application Testing?
For sensitive or high value web applications, a comprehensive review is appropriate. CSG’s web app penetration testing fully identifies and evaluates web application vulnerabilities. Testing is performed with knowledge of the functionality available to users and their access levels to ensure a detailed review of the application.
Testing includes assessing applications for vulnerabilities listed in the OWASP Top 10, the Open Web Application Security Project’s ten most critical application security risks. Our web application security testing team will help to identify vulnerabilities including:
VULNERABILITIES
Web App Common Vulnerabilities
-
Injection flaws
-
Authentication weaknesses
-
Poor session management
-
Broken access controls
-
Security misconfigurations
-
Database interaction errors
-
Input validation problems
-
Flaws in application logic
METHODOLOGY
CSG’s Comprehensive Testing Methodology
01. Reconnaissance
Conducting reconnaissance activities to locate information leakage, identify the technologies utilised, map application entry and functionality, and related tasks to guide testing.
02. Configuration And Deploy Management Testing
Testing the configuration of underlying platform and infrastructure and identifying potential change control weaknesses such as the presence of orphaned code or code backup files.
03. Identity Management Testing
Verification, where appropriate, for account provisioning considerations such as user registration processes or account enumeration.
04. Authentication Testing
Testing for authentication related weaknesses, such as insecure authentication, default credentials, or password weaknesses.
05. Authorisation Testing
Testing to validate the security of authorisation controls such as privilege escalation or bypassing authorisation.
06. Session Management Testing
An evaluation of session-related vulnerabilities such as session fixation, exposed session variables, and cross-site request forgery.
07. Data Validation Testing
Data validation testing including cross-site scripting, parameter tampering, SQL injection, and command injection.
08. Testing For Error Handling
Testing error handling issues, as they relate to security, such as analysis of Error Codes and Stack Traces.
09. Testing For Weak Cryptography
Testing to evaluate the effectiveness of encryption related protections such as weak SSL ciphers.
10. Business Logic Testing
Testing to determine if the flow or architecture of the application can be manipulated to gain access to
sensitive information through flaws in business logic or application workflows.
11. Client-Side Testing
Assessing vulnerabilities that commonalty affect the client side of the application session such as JavaScript execution, CSS injection, cross-site flashing, and clickjacking.
DELIVERABLES
Deliverables For Completed Test
The complete penetration testing results are documented in our content rich report which includes the background, summary of findings, detailed findings, scope and methodology, and supplemental content for context and reference. Samples are available upon request.
An introduction of the general purpose, scope, methodology, and timing of the penetration test.
A brief but concise overview summarizing the results at a glance, such as key critical findings requiring priority attention, system or recurring issues, and other general results.
Comprehensive results of each vulnerability, including a description of the vulnerability observed, the impact, recommendations for remediation, evidence where the vulnerability was observed, step by step demonstrations of exploits performed.
A detailed recap of the specific scope of what was tested, the methodologies utilized, and related historical information necessary for audiences such as auditors to understand the specifics of the test approach.
Additional content and guidance, such as recommended post assessment activities, that provides added value to the audience of the report.
Why Choose CSG
-
A trusted partner with a personalized service
-
A company with a global reach
-
An extensive understanding of how threat actors operate
-
In-depth threat analysis and advice you can trust
-
Latest tools and technology