Web Application Penetration Testing

Web Application Penetration Testing will identify vulnerabilities which could be accessed through online cyber attacks. An exploitation can result in the theft of information and irreparable damage to your systems.

Xyone uses the Open Web Application Security Project (OWASP) Testing guide V3.0 for conducting penetration testing of web-based applications. The active test is split into 9 sub-categories for a total of 66 controls. The main 9 sub-categories are:

• Configuration Management Testing

• Business Logic Testing

• Authentication Testing

• Authorisation Testing

• Session Management Testing

• Data Validation Testing

• Denial of Service Testing

• Web Service Testing

• Ajax testing

The data obtained from the information gathering phase allows us to search for additional vulnerabilities or exploits that might not form part of the above controls but can be used to penetrate the system.

Our web application penetration testing methodology is adapted each year to ensure we are assessing vulnerabilities in line with the OWASP top ten threats. In 2017, these were identified as:

• A1 Injection

• A2 Broken Authentication and Session Management

• A3 Cross-Site Scripting (XSS)

• A4 Broken Access Control (As it was in 2004)

• A5 Security Misconfiguration

• A6 Sensitive Data Exposure

• A7 Insufficient Attack Protection 

• A8 Cross-Site Request Forgery (CSRF)

• A9 Using Components with Known Vulnerabilities

• A10 Underprotected APIs

Retests:

It is vital that our clients undertake a retest of their web application penetration test as part of their service. This is to ensure that all vulnerabilities in their applications used have had the necessary controls applied and are no longer at risk of exploitation.

Retests are always clearly quoted within our proposal documentation. Each retest scans all areas originally identified as risks in our original report.

Security Testing and Compliance Solutions

We provide a comprehensive range of penetration testing, certification, information security consultancy and managed services for SMEs, public sector organisations and larger corporates looking to protect their business and enhance overall security of their IT systems.

Our specialists will help you identify and manage risks around your various data assets to give you, your employees and your customers much greater peace of mind.

Contact us today to learn more about how we can help you, or have a look at what we do to learn more about our services.

Hover over each section to find out more

External Mitigation

• Network Penetration Testing
• Cloud Penetration Testing
• Web Application Penetration Testing
• Mobile Penetration Testing
• Wi-Fi Penetration Testing
• VOIP Penetration Testing
• Database Penetration Testing

• Vulnerability Scanning

• Physical Penetration Testing
• Red Team Penetration Testing
• Counter Terrorism Assessment
• Social Engineering Consultancy

Internal Mitigation

• Board/Partner-level Training
• Cyber Security Awareness Training
• Social Engineering Training
• Data Protection 2018 Training
• Business Continuity Training

• Information Security Policy Management
• GDPR Policy Review
• Policy Gap Analysis
• GCHQ Certified E-learning

Comply and Certify

• ISO 27001 Consultancy
• ISO 27032 Consultancy
• ISO27301 Consultancy
• PCI DSS (Payment Card Industry Data Security Standard) Compliance

• Cyber Essentials
• Cyber Essentials Plus
• Cyber Essentials Questionnaire

• Payment Card Industry Data Security Standard (PCI DSS)