PENTEST: WEB APPLICATIONS

PROTECT YOUR WEB APPLICATIONS

WHAT ARE ENTRY POINTS FOR ATTACKERS?

Web applications and web services (APIs) are an essential part of our daily work. Applications, whether bought or developed in-house, are often used to process sensitive data and are usually accessible to many people inside and outside of your organization. In the event of a successful attack, hackers can therefore compromise company secrets, passwords and customer data, and even take over the web application server. This turns web applications into popular targets for attackers.

During our web application pentest, our security analysts comprehensively analyze your web application and identify possible entry points for attackers.

 

COMMON VULNERABILITIES INCLUDE:

 
 
  • Execution of injected malicious code (cross-site scripting, cross-site request forgery)
  • Unauthorized escalation of user privileges
  • Execution of malicious code on the underlying IT system (remote code execution, XML external entity attack)
 
 

 

WHAT IS OUR APPROACH?

Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for web application pentests:

Our security analysts attempt to gain unauthorized access to confidential information and the underlying systems during our application level pentests. We base our analyses on the current version of the OWASP Testing Guide and test for the most common security vulnerabilities in web applications according to OWASP (OWASP Top 10).

The registration is a popular target for hackers, especially if users are able to register themselves independently. In such cases, we suggest testing your application in an authenticated manner as well. For this scenario, we additionally perform tests on the functionalities of the authenticated areas with user accounts provided by you.

WHAT CHECKS ARE INCLUDED?

These checks are included in the application-level pentests:

  • Identifying the application, mapping and collecting information using manual and automated analysis procedures
  • Automated scanning of the web application using a state-of-the-art vulnerability scanner
  • Attack scenarios based on the combination of multiple identified vulnerabilities
  • Manual verification, e.g. by:
    • Hijacking of user accounts
    • Analyzing the filtering of passed parameters
    • Bypassing the authentication logic or authorization logic
    • Checking the file upload functionality
 

 
 

Depending on the programming language, we optionally perform code reviews for critical applications. Here, we analyze the source code for security vulnerabilites and enable an highly in-depth analysis. In addition, we check compliance with recognized secure coding guidelines and best practices.

 
 

 

ARE YOUR SYSTEMS PROTECTED AGAINST ATTACKERS?

We are happy to discuss your options for analyzing your application by our security analysts. Feel free to contact us.

Contact us