Web Application Penetration Test

Recently, web applications are among the most frequently used forms of software who tend to be exploited using relatively simple vulnerabilities in order to gain access to private data. Even the most popular and said to be the most secure applications are also the vulnerable, attackers rely on their secure reputation and develop easy and simple exploits to access a company’s cloud storage, internal executive level management information and redistribution of internal data.

In many cases, vulnerabilities leading to successful compromise of the system are completely ignored by conventional and automated testing methods.

The service combines both automated and manual means of testing (the latter being carried out with priority). In order to identify the potential attack surface, a reconnaissance is performed. This phase is part of the penetration testing methodology which includes the following stages:

RECONNAISSANCE

stage 1

SCANNING

stage 2

GAINING ACCESS

stage 3

PRIVILEGE ESCALATION

stage 4

Alongside the stages, the penetration testers are required to know the type of access provided from the client, according to the contract divided to three different types

BLACK BOX TEST

Zero Knowledge

Requires zero knowledge of the company’s assets. Penetration testers perform a complete reconnaissance phase to uncover the company’s assets and get to pick their own path around security controls as well as executing a strategy of their own.

GRAY BOX TEST

Some Knowledge

“Grey box” testing compiles the two previous approaches: they test both the functionalities and functioning of a website. In this type of tests, the tester knows the role of the system and of its functionalities, and also knows (though not extensively) its internal mechanisms (especially the internal data structure and the algorithms used). However, he or she does not have access to the source code!

WHITE BOX TEST

Full Knowledge

“White box” tests consist in reviewing the functioning of an application and its internal structure, its processes, rather than its functionalities. Here, all the internal components of the software or application are tested through the source code, main work base of the tester.

A report is issued at the end of the penetration test in order to provide an easily comprehensible description of the findings as well as recommendations on how to mitigate the vulnerabilities.

In addition to security controls, the following categories are also considered:

inviolability for other applications;
the existence of bad practices in common application security;
information leakage from the application source code.