Basic Web Application Penetration Test - Nethemba

Application security

Basic Web Application Penetration Test

01
Suitable for:
  • small, simple web applications and web sites for small customers
  • suitable for regular automated testing (in order to discover new vulnerabilities and missing patches)
Report size:
1-10 pages
Testing time:
1 day (remotely)

The goal of the basic penetration test is to reveal as many as possible of the most critical security vulnerabilities in the web application / web server during one day..
The test is mostly automated using our commercial and open-source tools (most of them are available here). Existence of all high-critical vulnerabilities are manually verified.
We use our web application security know-how to choose the best-suitable tools for every specific application.

The test consists of:

  • Information Gathering – information about the target system is identified and documented, including web server version, its modules, used programming framework, WAF, identification of all entry points
  • Enumeration and Vulnerability Mapping – using intrusive methods and techniques (specially constructed HTTP requests) to identify potential vulnerabilities (special vulnerability web application scanners and fault-injection proxies are used)
  • Manual verification of high-critical revealed vulnerabilities (in order to prevent false positives)

Features:

  • reveals the most serious vulnerabilities (especially those caused by insufficient validation such as SQL injections, XSS/CSRF, buffer overflows, etc.) that can be revealed in fully automated way
  • for more thorough testing that also includes manual inspection we strongly recommend to perform our standard penetration test or comprehensive web application security audit which also includes a practical hacking demonstration of revealed critical vulnerabilities (own exploits coding, database dump, CSRF/XSS/session fixation demonstrations, ..), one-day meeting with the application’s developers and complete web application testing according to the OWASP Testing Guide