Web App Penetration Testing
Web technologies have advanced in recent years. This advancement and reliance on web technologies means that we have become more exposed to security risks associated with them. Web applications frequently hold business-critical data, both publicly and internally. Web application penetration testing is the most effective way to ensure that your application is secure from hackers.
Web Application Testing Methodology
The OWASP framework acts as a guide as we test all critical areas of a web application. Web applications are among the most rapidly evolving and diverse technologies in use today. As a result, we use our own specialised tools and methodologies to adapt to this ever-changing environment. This thorough approach guarantees that our clients receive the best service possible.
What do we test for?
Our OWASP assessment is split into the following subsections and follows the industry standard, testing each of these ensures the application has been thoroughly tested. We conduct a full OWASP assessment during web application penetration testing.
Configuration and Deploy Management Testing
Identity Management Testing
Session Management Testing
Data Validation Testing
Business logic Testing
Client Side Testing
What are the risks?
Web applications are often extremely important to a business’s functionality and can collect huge amounts of data about customers or the business its self. These can be public applications or internal applications and each come with its own set of risks. Due to the importance of these applications, they must be protected from their data being stolen.
As a result, protecting these applications is an arms race, and the ability to find what developers have missed due to deadlines or oversight is crucial. Website security testing helps eliminate the risks associated with building modern web applications.
How we can help
Our application penetration testing helps remove the risks inherent in many web applications and prevent data breaches before an attacker has the chance to act.
We offer comprehensive Web Application Penetration Testing from experienced experts all of which are CREST registered penetration testers. Our Test & Teach strategy allows the companies we work with not only to be given a report with remediation in plain English, but also to learn how to keep the company safe from vulnerabilities in the future.
Our tests cover not only the OWASP top 10, but also a wide range of other vulnerabilities which other companies don’t test for.
The Sencode Way
Contact a member of our consulting team either by phone, email or pidgeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
Scoping & Proposal
In the scoping meeting our expert consultants will discuss and finalise which digital assets you need testing. We will then put together a project proposal and quote based on the requirements and agree on a schedule for conducting the security assessment.
The testing starts. A member of our penetration testing team will liase with a member of your company throughout the entire testing process. If we have any questions or concerns, you will be the first to know.
Report & Remediate
A penetration test is useless without a well written report. Our reports are written in plain english, concise and thoroughly documented. Each report will detail an executive summary, risk ratings, a business risk summary and all of the issues we found throughout the engagement.
Frequently Asked Questions
Web application penetration testing is the practice of detecting vulnerabilities in a web application using penetration testing methodologies. A good web application penetration test will be conducted to the OWASP standard of web application testing.
The OWASP methodology includes but is not limited to:
- Authentication testing: Testing the authentication mechanisms of the web application, this includes attacks such as brute-force, username enumeration and SQL authentication bypass techniques. A07:2021-Identification and Authentication Failures
- Access Control Testing: Often known as authorisation testing, is the process by which a web application provides some users access to material and capabilities while denying access to others. OWASP – A01:2021-Broken Access Control
- Injection: Generally the application will suffer from injection vulnerabilities of the data is not sanitized or validated by the web application. Cross-site scripting, SQL injection, OS command injection are just some common injection techniques. A03:2021-Injection
- Security Misconfigurations: Verbose stack trace errors, clickjacking, default accounts and missing HTTP Security Headers are just a few of the common security misconfigurations found on modern web applications. A05:2021-Security Misconfiguration
More information on the OWASP Top 10 can be found here: OWASP Top 10 2021.
- Web browser
A very small amount of web application penetration testing uses automated tools much of what is done relies on the testers knowledge and testing of logic. Vulnerability scanners are not able to cover the full breadth of a web application penetration test.
Web application testing has a lot of cross-over with API testing but also exposes the tester to a much deeper attack surface, often involving a much more diverse selection of attacking techniques. As with every type of testing, the first step is discovery. This includes finding which parts of the application can be tested, and what technologies are being used (.NET,PHP,Angular for example).
Once this has been completed, we can cater our attacks to the specific website technologies being tested. We will test for security vulnerabilities such as XSS, SQLi, OS command injection, access control violations and many more. Vulnerabilities can be chained together to create security issues with a higher severity. How can vulnerabilities be chained together? Take this example:
“During the testing we discovered the forgotten password function is vulnerable to username enumeration due to verbose responses. Account lockouts were not present on the system. Therefore we were able to chain these vulnerabilities together to compromise a large number of user accounts.”
All types of penetration testing differ in methodology and price. There are a number of factors that go into setting a price for a penetration test, including expenses for the tester and the types of asset being tested. A smaller application will take considerably less time than a large, complex commercial application. We aim to make our pricing as flexible as possible. Sencode will provide our best judgement via accurately scoping your digital assets and making a determination based off experience testing similar scale assets. Once we have accurately scoped your project, we can provide a project proposal and a quote which will be costed properly.
Example 1: A medium sized finance web application comprised of 35 unique pages with user and case management. 5 days of penetration testing. £3000-£4000
Example 2: An external infrastructure penetration test comprised of 10 unique IP addresses. 2 days of penetration testing. £1000-£2000
Example 3: An internal penetration test on 80 IP addresses, 7 days of penetration testing. £5500 – £6500
Prices are variable based upon Number of IP Addresses, Retesting requirements, After-hours Testing and skills required to conduct the engagement
Get a free, no obligation quote from one of our expert staff.