Web Application Penetration Testing
A Web platform penetration test enables to assess the security of the
server configuration and the application software (Web applications and APIs).
Aim of a Web pentest
Web applications are always a particularly vulnerable part of information systems, due to their level of exposure to attacks and the lack of awareness of development teams observed in many companies.
The purpose of a Web pentest is to assess the robustness of your Web platform: servers, front/back office applications, Web services and APIs. The result is an operational report that enables developers to correct the identified security flaws. For software publishers who wish to provide deliverables to their clients or partners, Vaadata can produce a second report certifying that the security flaws have been corrected.
The scope of a Web security audit is to be defined according to the desired aim:
- What must be included in the pentest and must be excluded from the pentest? (Web application, APIs, third-party services, showcase site, etc.)
- What is the required level of detail: search for so-called major vulnerabilities or search for all vulnerabilities?
- What is the level of risk to be tested: test only external attacks (black box penetration testing) or also attacks from a user account (grey box penetration testing)?
- Must certain types of specific tests be incorporated? (social engineering, etc.)
Stages of a Web pentest
Kick-Off-Meeting
Customer goals are gathered and rules of engagement obtained.
Discovery
We proceed to perform scanning and enumeration to identify potential vulnerabilities, weak areas, and exploits
Vulnerability Analysis
Perform Automated and manual vulnerability discovery and correlate findings with threat intelligence.
Exploitation/Attack
Confirm potential vulnerabilities through exploitation and perform additional discovery upon new access.
Remediation Validation
We re-test vulnerabilities after fixes to validate security improvements and provide confirmation of closure
Reporting
Document all found vulnerabilities and exploits, failed attempts, and company strengths and weaknesses.
Web application penetration testing
cig-security looks for vulnerabilities related to features, implementation
and use of third-party components, the server and its various services,
security configurations, etc.
Tests may focus only on technical elements or may also include social engineering.
Web servers penetration testing
Penetration tests of Web servers focus on finding vulnerabilities specific to the configuration of the infrastructure that hosts the services. Examples of common vulnerabilities:
- Open and poorly protected services
- Software that is not updated (operating system, FTP, etc.)
- Security elements that can be bypassed
- Configuration errors
Penetration testing of the application layer
Penetration testing of the application layer accounts for most of the audit. Examples of common security flaws:
- Injection flaws (notably SQL and commands)
- Vulnerabilities in management of authentication and of sessions
- Exposure of sensitive data
- Lack of access control
- Cross-Site Scripting (XSS)
The application pentest includes the search for technical and logic flaws (related to the workflow). Logic flaws exist when the normal operation of an application, a logic stage or the intended process can be bypassed or avoided.
See What We Can Do For You
Download a sample penetration test report to see the results we can deliver for your organization.
Ready to Get Started?
See How We Can Secure Your Assets
Let's talk about how cIG can solve your cybersecurity needs. Give us a call or submit your information below and our representative will be in touch to help you build a more resilient security operation today.
Call Us On: +267 - 74657500 | Email: hello@cyberintrustionguard.com
See What We Can Do For You
Download a sample penetration test report to see the results we can deliver for your organization.