Basic Web Application Penetration Test
The goal of the basic penetration test is to reveal as many as possible of the most critical security vulnerabilities in the web application / web server during one day..
The test is mostly automated using our commercial and open-source tools (most of them are available here). Existence of all high-critical vulnerabilities are manually verified.
We use our web application security know-how to choose the best-suitable tools for every specific application.
The test consists of:
- Information Gathering – information about the target system is identified and documented, including web server version, its modules, used programming framework, WAF, identification of all entry points
- Enumeration and Vulnerability Mapping – using intrusive methods and techniques (specially constructed HTTP requests) to identify potential vulnerabilities (special vulnerability web application scanners and fault-injection proxies are used)
- Manual verification of high-critical revealed vulnerabilities (in order to prevent false positives)
- reveals the most serious vulnerabilities (especially those caused by insufficient validation such as SQL injections, XSS/CSRF, buffer overflows, etc.) that can be revealed in fully automated way
- for more thorough testing that also includes manual inspection we strongly recommend to perform our standard penetration test or comprehensive web application security audit which also includes a practical hacking demonstration of revealed critical vulnerabilities (own exploits coding, database dump, CSRF/XSS/session fixation demonstrations, ..), one-day meeting with the application’s developers and complete web application testing according to the OWASP Testing Guide