Web Application Penetration Testing Services

Locate and Remediate Your Application Security Flaws

Artifice Security is the leading penetration testing company for web applications as we can identify vulnerabilities in a wide range of programming languages and stacks. From web applications using traditional infrastructure to highly scalable AWS environments, our security experts have helped organizations globally secure their data.

OWASP Top 10

Web Application Testing Exceeding the OWASP Top 10

The OWASP Top 10 provides a way to rank and remediate the top 10 most critical web application security risks. Below is a list of the most current release for OWASP Top 10:

Current OWASP Top 10 List Released for 2021-2022:

  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable and Outdated Components
  • Identification and Authentication Failures
  • Software and Data Integrity Failures
  • Security Logging and Monitoring Failures
  • Server-Side Request Forgery (SSRF)
While this covers many common vulnerabilities for web applications, many advanced vulnerabilities that are difficult to exploit aren’t on that list. Penetration testing companies that focus only on OWASP will fall short of finding new threats and unknown risks. At Artifice Security, we go far beyond the OWASP Top 10 standards by continuously pushing the envelope of web application and API security. We show you how to uncover complex vulnerabilities while giving you clear directions on fixing them.


Automated vs. Manual Web Application Penetration Testing

Automated scanners help find vulnerabilities such as reflective Cross-Site Scripting (XSS) and other fundamental flaws. Still, these automated scanners cannot understand the context of the application and how to abuse its logic. Artifice Security experts will show attack chains using vulnerabilities considered “low-rated” by vulnerability scanners to show you broader risks. Manual testing can prove that some low-rated vulnerabilities ranked by vulnerability scanners can turn into high-rated vulnerabilities.

The expert penetration testers at Artifice Security use automated scanners at the beginning of the assessment (10%) and then pivot into manual penetration testing for the remaining part (90%). Knowing the web application’s context, we can provide penetration tests geared to your individual security needs and make it relevant to your user base.


Web Application Penetration Test Methodology

After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. As a manually-performed penetration testing company, we guarantee that no false positives will be in your report, and we provide proofs-of-concept that you can verify.

Our security experts are diverse with experience working as system administrators, web developers, network engineers, and cloud specialists to military veterans and former NSA employees who held Top Secret clearances. Artifice Security consultants have also taught and spoken at cybersecurity conferences and created tools used by many penetration testers today. Each of our consultants is not only highly passionate about security, but they are also highly credentialed.


Define the Scope

Before the start of the penetration test, Artifice Security will collaborate with your team to determine the exact scope of your web application. We will communicate with your team to assess your application’s size, complexity, framework, roles, and how it is supposed to function normally.

  • Determine which applications are needed for testing to include domains and IP addresses for the host systems
  • Evaluate which directories or files, if any, are excluded from testing
  • Determine penetration testing performed in production or test/QA environment
  • Determine testing dates and times for the penetration test
  • Exchange key personnel and emergency contact information for any critical findings found.

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your business and show you what anonymous information is out there on the Internet. This targeted intelligence includes the following checks:

  • Searches for documents such as PDF, DOCX, XLSX, and PPT documents that may contain exposed sensitive or customer information without your knowledge
  • Searches on the Internet and Darkweb for leaked credentials contained in password breach databases
  • Searches in repositories such as Github and other developer forums that may contain sensitive data related to your web application or organization
  • Checks to find similar domain names as yours to determine your risk to phishing (risks to domain spoofing)
  • Exposed robots.txt file to find potential hidden directories and files.

Enumeration Phase

The enumeration phase in a web application penetration test is crucial for gathering as much information as possible about the target system to understand its architecture and functionality. This phase often follows the initial reconnaissance phase, identifying various resources, user roles, endpoints, and application workflows. Techniques like directory brute forcing may be employed to discover hidden directories and files. At the same time, tools such as Burp Suite could be used to automate the crawling of the application to identify parameters, endpoints and HTTP methods supported.

  • Map out and crawl through the application using a proxying tool
  • Enumerate all directories and subdomains
  • Search for possible hidden directories and files
  • Perform subdomain takeover checks
  • Check cloud services for misconfigurations (e.g., publicly exposed S3 buckets)
  • Check all possible open ports and services on the host server
  • Determine frameworks in use and associated software and libraries in use
  • Research and correlate known vulnerabilities for libraries and services used by the application

Attack and Exploitation Phase

During the attack and exploitation phase, Artifice Security will use manual penetration testing techniques to exploit vulnerabilities found in your web application. We perform these attacks using professional tools and techniques while being cautious about protecting your data and not interrupting normal business functions. At this phase, we will perform the following test phases against your web application(s):
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Data Validation Testing
  • Error Handling Testing
  • Cryptography Testing
  • Business Logic Testing
  • Client-Side Testing
  • API Testing

Reporting Phase

Artifice Security will put together all information about your organization and vulnerabilities discovered for your web application(s) during the reporting phase. As a manually-performed penetration testing company, we guarantee that no false positives will be in your report.

The report begins with an executive summary which gives a layman’s explanation of the findings and conveys the overall risk to your web application(s) and organization. In addition to a summary of findings, we also provide a list of positive results found during testing. Next, the report explains how we determine criticality and risk for each discovery so you can better understand how we prioritize findings and how we rate severity for each vulnerability.

Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.

In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.


Remediation Testing (Retesting)

As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your web application after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your web application.


Frequently Asked Questions

What information is needed for a web application penetration test?

To start a web application penetration test, we need to scope the application properly. The scoping process determines how long it will take to perform the penetration test based on the size and complexity of the web application. We need access to the web application and credentials if it is an authenticated web application for testing. Additionally, it helps to know if your organization hosts the application in the cloud and if there are any third-party APIs or connections within the web application.

Why is manual penetration testing important for a web application penetration test?

Many areas of a web application need manual techniques performed. For example, the information-gathering phase needs to be done manually by a consultant when starting a web application penetration test. This information can reveal potential vulnerabilities such as past compromises or exposures that were made public.

If you solely rely on automated scanners, your results will also have many false positives and worse, false negatives. With manual penetration testing, all findings are 100% proven.

Additionally, an automated scanner might determine if anti-CSRF (Cross-Site Request Forgery) tokens are used. However, there are no ways to determine if CSRF vulnerabilities exist without manually exploiting the web application.

When testing session management vulnerabilities, the consultant will attempt to exploit cookies to move into other accounts or to escalate privileges as an administrator.

Lastly, automation of business logic abuse cases is not possible. Business logic testing includes uploading malicious payloads to the web application, forged requests, integrity checks, process timing attacks, and circumvention of workflows.

Will the penetration test affect the performance of my web host server?

Manually performed penetration testing should not affect the performance of the web application host server. While no penetration testing company can guarantee this, the consultant performing the penetration test will have complete control over how many requests are sent to the host server, including the number of requests sent when performing spidering and automated scanning. This control over requests is essential if the web application does not use a load balancer. Our consultants are always careful with the number of requests sent to the host server when performing penetration testing. If the server does fail during testing (which is rare), it usually hints at a deeper problem with the application or host server itself.

Is it best to perform the web application penetration test against a production or test environment?

Artifice Security recommends the client have penetration tests performed against a test environment. Testing against a test environment ensures that any code injected into the application does not affect other users, especially in areas of the application that are visible to all users, such as a comment section. Artifice Security uses safe SQL injection checks to ensure the SQL database does not have data written to it when performing injection testing. Regardless, some SQL injection code could be stored in the database, which may affect the performance of all users (e.g., SQL injection timing attacks that temporarily pause the database).

While a test environment is preferred, Artifice Security regularly performs web application pentests against production environments without issues. Artifice Security has vast experience testing both types of environments.

Leading-Edge Cybersecurity