Application security

Standard Penetration Test

01
Suitable for:
  • small, simple web application and web sites
  • web application which do not provide security critical operations (e.g. financial transactions)
Report size:
3-10 pages
Testing time:
3-4 days

The goal of the standard penetration test is to reveal as many as possible of the most critical security vulnerabilities in the web application / web server during 3 days, exploit them and gain a privileged access if it is possible.

The test consists of:

  • Information Gathering – information about the target system is identified and documented, including web server version, its modules, used programming framework, WAF, identification of all entry points
  • Enumeration and Vulnerability Mapping – using intrusive methods and techniques (specially constructed HTTP requests) to identify potential vulnerabilities (manual inspection or special vulnerability scanners and fault-injection proxies are used)
  • Exploitation – attempting to gain access through vulnerabilities identified in the previous phase. The goal is to gain user and privileged (administrator) access to the application or operating systems (custom exploit scripts or exploit frameworks are used)

Features:

  • reveals the most serious vulnerabilities (SQL/LDAP injections, XSS/CSRF, buffer overflows, business logical flaws, authentication bypass, local file inclusions)
  • due to the fact that a manual inspection is used, the test is highly recommended when your automatized security scanners have already failed
  • technical report with executive summary, all revealed vulnerabilities, risk levels and recommendations