What is a Web Application Penetration Test?
‘Data breaches’ are regularly published on the Internet – sometimes databases with several million access data of different websites (for example, the massive cit0day data breach). In most cases, access to these data is gained due to a lack of web security. Since corresponding vulnerabilities are often overlooked during programming, but can lead to extremely high costs (e.g., data protection breach according to DSGVO) and reputational damage, we recommend having the security of your web applications regularly checked. The preferred procedure for this is a web application penetration test according to OWASP Top 10.
What do we need?
To conduct a Web Application Penetration Test Security, all we need is access to your website (via the Internet or VPN, for example) and functioning user accounts.
What do we offer?
After completion of the test, we provide you with a comprehensive report that contains a list of all vulnerabilities identified by us. Additionally, you will receive concrete recommendations for improving security, including a prioritization suggested by us. Our service also includes a test log to track the vulnerabilities. If required, we will be happy to present the detected vulnerabilities to your team or developers directly at the application.
How do we proceed?
Our analysts use a variety of test steps and tools to thoroughly check your website. We combine automated testing procedures with manual testing. This methodology has proven to be effective, as some types of vulnerability cannot be effectively detected by automated tests, but the most complete coverage of other vulnerabilities can only be achieved with automated tests. The following content is usually checked:
- Injection attacks such as SQL injection or remote code execution
- Authentication/authorization attacks
- Privilege escalation attacks
- Unauthorized access to sensitive data
- Attacks against session handling
- Checking the web server for configuration errors and compliance with best practices
- Verification of SSL configuration
- Cross-site scripting attacks
- CSRF (cross-site request forgery)
- Other attacks such as redirect attacks and caching vulnerabilities, vulnerability pentesting etc.
We follow internationally recognized standards for web application pentesting, such as the OWASP Web Security Testing Guide. Our analysts have many years of experience in the field of web applications and the corresponding certifications. All tests are performed according to your requirements. For example, in a production system, we take the utmost care in testing so you do not have to deal with production downtime.
Are there pentests for REST APIs and single-page applications?
For special applications, such as REST APIs and single-page applications, we offer a specially adapted test catalog based on the vulnerabilities typical for these applications. We take into account the OWASP API Top 10 as well as others.
What do we recommend?
We recommend having all web applications tested on a regular basis. This applies not only to applications you have programmed yourself; standard software can also contain serious vulnerabilities due to configuration errors or undetected programming errors. Particular attention should be paid to on-premises applications, as they pose a direct threat to your internal network in the event of a successful attack. To verify your security status against a successful intrusion into your network, we also recommend performing internal penetration testing.
How can we get started?
To provide you with the best possible product, we adapt the testing parameters such as scope and procedure to your individual needs. Simply contact us and we will get back to you as quickly as possible.