Web Application Security Testing

Web application security is crucial for custom-built in-house applications because these are often prime targets for attackers seeking to exploit any vulnerabilities. Custom-built applications are typically not subject to the same scrutiny and testing as widely used commercial off-the-shelf (COTS) applications, increasing the risk of undiscovered vulnerabilities. In-house applications may also be integrated with other critical systems and applications, creating potential vulnerabilities that attackers could exploit to gain unauthorized access to sensitive data or systems.

In our web app pen testing process, a penetration tester, an expert in offensive security, acts as an ethical hacker. They attempt to gain access to your web application in the same ways a malicious hacker might. By doing so, they can uncover security vulnerabilities that could potentially be exploited.

Application Testing

We will undertake an in-depth technical penetration test of your custom application through a combination of active testing of the deployed application and source code review.

Using manual and automated testing, our pen-tester will first test for the presence of security best practices, such as appropriate content security policies and authentication processes. These give the defence-in-depth that helps to mitigate the impact when attackers exploit undetected vulnerabilities. We use the guidance from the Open Web Application Security Project as our baseline, combined with the judgment of our CyberSecurity Analysts.

Our testing will attempt to discover coding or flaws that result in actual vulnerabilities. These could allow an attacker to affect the application’s confidentiality, integrity or availability.

Example findings might be Cross-Site Scripting (XSS), SQL Injection or XXE.

Our assessments include the following broad areas of investigation:

  1. Access Control
  2. API and Web Service
  3. Authentication
  4. Business Logic
  5. Communications
  6. Configuration
  7. Data Protection
  8. Error Handling and Logging
  9. File and Resources
  10. Malicious Code
  11. Session Management
  12. Stored Cryptography
  13. Validation, Sanitisation and Encoding
 
 

Before we start any testing, we’ll agree on a formal testing Scope document with you. This will cover:

  • the applications that are in-scope;
  • the level of depth required (e.g. including or excluding authenticated users)
  • any environment and URLs that will be used for testing
  • any limitations on the extent of the testing (for example, if a production environment)
  • availability of any source code

Once our testing is complete, we’ll provide you with a report with detailed findings, their impact, and how to fix them.