Web application penetration testing

Web application penetration test is simulated attack against your web application which aims to uncover weak points in its cyber security. Outcome of such penetration test is a comprehensive report and presentation that summarizes all security vulnerabilities found in your application and outlines optimal strategy to mitigate them.

Auxilium Cyber Security has experience testing broad range of web applications ranging from Node.js through Python Plone CMS, ASP.NET to web applications built in PHP.

Objective

Main goal of web application penetration test is to uncover vulnerabilities in your web application and propose adequate steps to mitigate them.

Methodology for testing web applications

During web penetration tests, we follow the OWASP Top 10 industry standard, thanks to which we test the web application for all common vulnerabilities. Those are specifically:

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Coontrol
6. Security Misconfiguration
7. Cross-Site Scripting XSS
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

OWASP Top 10 reference for more information: https://owasp.org/www-project-top-ten/

OWASP Top 10 standard is available in multiple revisions – 2017, 2013 a 2010. We primarily rely on the latest – 2017 – revision. It is, however, necessary to point out that we always adjust revision to the technology / framework used by tested web application. This way we ensure we always test web applications against all potential vulnerabilities.

Our approach to web application penetration testing

1. Understanding our client

We start by gaining close understanding of our client’s business and technical needs as well as gathering information about web application itself, mainly its functionality and architecture.

2. Agreement on commercial offer

Detailed commercial offer is prepared based on our understanding of your needs and requirements. Such offer includes penetration test methodology, testing scenarios, way of reporting results and the scope of the penetration tests. Outcome of this phase formally agreed penetration testing offer.

3. Penetration testing

Penetration test itself is carried out strictly in accordance with our common agreement. During the actual penetration testing our team reveals vulnerabilities in your application and demonstrate you how they can be misused by a hacker.

4. Reporting

We deliver detailed penetration testing report to your team. Such report includes all vulnerabilities together with suggestions on how to mitigate them. If required, we can also prepare executive summary presentation for your management to help you efficiently communicate such results to company decision-makers

5. Assistance with vulnerability mitigation

If your company has limited internal capacity, we can provide a support with mitigation of identified vulnerabilities.

6. Educating your dev team

We can also prepare tailor-made secure coding guidelines and training for your dev team which would reflect results of performed penetration test. This would help your team to avoid making same security mistakes again.

Why Auxilium Cyber Security?

1. Experienced penetration testers with OSCP, OSCE or CISM certification
2. Conducting in-house research in the cyber security field
3. We deliver comprehensive penetration testing reports with proposed vulnerability mitigations
4. We can support you in English, German, or Czech
5. We have experiences with web applications penetration testing since 2015
6. We can provide secure coding guidelines and training reflecting penetration test results

Our research in the area of cyber security of applications

[CVE-2020-24807] File Type Restriction Bypass in Socket.io-file NPM module
[CVE-2020-15779] Path Traversal in Socket.io-file NPM module

Selected web application penetration testing references

1. ENISA – EU Agency for Cybersecurity: Gap Analysis and penetration test of agency’s web portal against European Commission standard and implementation of mitigation of these vulnerabilities. See more here.
2. Asseco Solutions: Penetration test of web application.