Web Application Penetration Testing
Web Application Vulnerability Testing
- A web application vulnerability assessment involves the identification and analysis of web properties to provide a current view of the potential vulnerabilities and threats posed to your enterprise and its users.
- These assessments begin with spidering a client website or application to identify the pages and forms available to users.
- Once a baseline of information is gathered, a series of tests are run against the identified web pages and forms to help determine if OWASP and other vulnerabilities exist in the website or application.
- Sample of risk categories examined during an assessment:
- Configuration management
- Secure transmission
- Authentication
- Session management
- Authorization
- Data validation
- Denial of service
- Business logic flaws
- Weak or outdated cryptography
- Sample of risk categories examined during an assessment:
- Results are analyzed by our security analysts, ranked by risk and provided to clients, along with remediation instructions.
Web Application Penetration Test
- A web application penetration test involves simulating real-world attacks in an attempt to exploit identified weaknesses in a website or web application.
- Using the baseline information previously gathered, RMCyberEthic uses Metasploit and a number of publicly available tools to perform a more in-depth analysis including manual probing to:
- Test identified pages, forms, and input methods for a number of significant risks, including the OWASP Top 10:
- A1 Injection
- A2 Broken Authentication and Session Management
- A3 Cross-Site Scripting (XSS)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration
- A6 Sensitive Data Exposure
- A7 Missing Function Level Access Control
- A8 Cross-Site Request Forgery (CSRF)
- A9 Using Components with Known Vulnerabilities
- A10 Unvalidated Redirects and Forwards
- Leverage the exploitable vulnerabilities to obtain unauthorized access to data, perform unauthorized transactions, or launch further attacks on end-users (if authorized)
- Collect evidence to prove the extent of the access obtained
- Test identified pages, forms, and input methods for a number of significant risks, including the OWASP Top 10:
- Results are analyzed by our security analysts and formulated into a report identifying successful attack vectors and the extent of the information obtained.