Web Application Penetration Testing

Web Application Penetration Testing

Web Application Penetration Testing will identify vulnerabilities within your website which could be accessed through online cyber attacks. An exploitation can result in the theft of information and irreparable damage to your systems.

Xyone uses the Open Web Application Security Project (OWASP) Testing guide V3.0 for conducting penetration testing of web-based applications. The active test is split into 9 sub-categories for a total of 66 controls.

• Configuration Management Testing
• Business Logic Testing
• Authentication Testing
• Authorisation Testing
• Session Management Testing
• Data Validation Testing
• Denial of Service Testing
• Web Service Testing
• Ajax testing

The data obtained from the information gathering phase allows us to search for additional vulnerabilities or exploits that might not form part of the above controls but can be used to penetrate the system.

Our web application penetration testing methodology is adapted each year to ensure we are assessing vulnerabilities in line with the OWASP top ten threats. In 2013, these were identified as:

• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards

Retest:

It is vital that our clients undertake a retest as part of their penetration test service. This is to ensure that all vulnerabilities have had the necessary controls applied and are no longer at risk of exploitation.

Retests are always clearly quoted within our proposal documentation and each retest scans all of the areas originally identified as risks in our original penetration test report.