Web Application Penetration Testing

Web Application Vulnerability Testing

  • A web application vulnerability assessment involves the identification and analysis of web properties to provide a current view of the potential vulnerabilities and threats posed to your enterprise and its users. 
  • These assessments begin with spidering a client website or application to identify the pages and forms available to users.
  • Once a baseline of information is gathered, a series of tests are run against the identified web pages and forms to help determine if OWASP and other vulnerabilities exist in the website or application. 
    • Sample of risk categories examined during an assessment:
      • Configuration management
      • Secure transmission
      • Authentication
      • Session management
      • Authorization
      • Data validation
      • Denial of service
      • Business logic flaws
      • Weak or outdated cryptography
  • Results are analyzed by our security analysts, ranked by risk and provided to clients, along with remediation instructions. 

Web Application Penetration Test

  • A web application penetration test involves simulating real-world attacks in an attempt to exploit identified weaknesses in a website or web application.
  • Using the baseline information previously gathered, RMCyberEthic uses Metasploit and a number of publicly available tools to perform a more in-depth analysis including manual probing to:
    • Test identified pages, forms, and input methods for a number of significant risks, including the OWASP Top 10:
      • A1 Injection
      • A2 Broken Authentication and Session Management
      • A3 Cross-Site Scripting (XSS)
      • A4 Insecure Direct Object References
      • A5 Security Misconfiguration
      • A6 Sensitive Data Exposure
      • A7 Missing Function Level Access Control
      • A8 Cross-Site Request Forgery (CSRF)
      • A9 Using Components with Known Vulnerabilities
      • A10 Unvalidated Redirects and Forwards
    • Leverage the exploitable vulnerabilities to obtain unauthorized access to data, perform unauthorized transactions, or launch further attacks on end-users (if authorized)
    • Collect evidence to prove the extent of the access obtained
  • Results are analyzed by our security analysts and formulated into a report identifying successful attack vectors and the extent of the information obtained.