PENTEST: WEB APPLICATIONSPROTECT YOUR WEB APPLICATIONS
WHAT ARE ENTRY POINTS FOR ATTACKERS?
Web applications and web services (APIs) are an essential part of our daily work. Applications, whether bought or developed in-house, are often used to process sensitive data and are usually accessible to many people inside and outside of your organization. In the event of a successful attack, hackers can therefore compromise company secrets, passwords and customer data, and even take over the web application server. This turns web applications into popular targets for attackers.
During our web application pentest, our security analysts comprehensively analyze your web application and identify possible entry points for attackers.
COMMON VULNERABILITIES INCLUDE:
- Execution of injected malicious code (cross-site scripting, cross-site request forgery)
- Unauthorized escalation of user privileges
- Execution of malicious code on the underlying IT system (remote code execution, XML external entity attack)
Our security analysts attempt to gain unauthorized access to confidential information and the underlying systems during our application level pentests. We base our analyses on the current version of the OWASP Testing Guide and test for the most common security vulnerabilities in web applications according to OWASP (OWASP Top 10).
The registration is a popular target for hackers, especially if users are able to register themselves independently. In such cases, we suggest testing your application in an authenticated manner as well. For this scenario, we additionally perform tests on the functionalities of the authenticated areas with user accounts provided by you.
WHAT CHECKS ARE INCLUDED?
These checks are included in the application-level pentests:
- Identifying the application, mapping and collecting information using manual and automated analysis procedures
- Automated scanning of the web application using a state-of-the-art vulnerability scanner
- Attack scenarios based on the combination of multiple identified vulnerabilities
- Manual verification, e.g. by:
- Hijacking of user accounts
- Analyzing the filtering of passed parameters
- Bypassing the authentication logic or authorization logic
- Checking the file upload functionality