Application Penetration Testing

Vulnerabilities in web applications are responsible for some of the most high profile data loss incidents of all. Even so, these kinds of vulnerabilities remain largely misunderstood. Compounding this issue is the fact that there is no generic “patch” that addresses custom web application vulnerabilities.

Web application penetration testing employs test techniques that are unique to web applications architecture. Using a technique known as “request proxying”, the tester sends requests to the application and observes the responses, using skill and experience in order to determine if the application exhibits vulnerabilities that could lead to an exploit. Vulnerabilities such as SQL injection or cross site scripting are typical of the kinds of vulnerabilities that are evaluated. These vulnerabilities can enable an attacker to directly access underlying databases containing valuable or confidential data, or execute malicious software on the server. Even the attack and exploit an innocent user’s browser could be possible.  Very often, these kinds of vulnerabilities are limited only by the skill and ingenuity of the attacker.

Our application penetration process adheres to our test methodology to ensure audits are consistent and accurate.

Discovery. Initially, it is important to understand which technologies are present in the target application. This includes web servers, databases, web application firewalls, load balancers and so on. The web site structure is also deduced, clearing the way for the next stage, Assessment.

Assessment. At this stage, the tester knows much about the site structure and supporting technology. Now it is time to understand how the application works, what business functions it supports, and how authentication, authorisation and access control mechanisms are implemented.

Exploration. With a complete view of the application, the tester’s attention turns to identifying potential implementation vulnerabilities. This could mean, for example, failures in enforcing authentication, authorisation and access control schemes, the leakage of information useful to an attacker, or as is often the case, failure to sufficiently validate input before processing it. Often, simple manual tests carried out by intercepting and modifying web traffic can reveal a wealth of useful information that enables a significant exploit to be constructed and executed.

 

PCI DSS Policy Pack

Additional Information

  • We consider client communication to be incredibly important. Great emphasis is placed on customers understanding our recommendations and being able to act on them.  
  • We work incredibly closely as a team. At all stages of the audit process, progress is peer reviewed and results discussed amongst members of our test group.
  • All testing is non destructive. Every attempt is made to minimise disruption to your networks that we test. This applies to production, test and development environments.

The quality and consistency of our audit reports is very important. Apart from the obvious consideration of helping you understand where weaknesses lie, our findings are sometimes used as a basis for significant infrastructure investment.


© 2012 Ambersail Ltd