Web Application Penetration Testing Services
Locate and Remediate Your Application Security Flaws
OWASP Top 10
Web Application Testing Exceeding the OWASP Top 10
The OWASP Top 10 provides a way to rank and remediate the top 10 most critical web application security risks. Below is a list of the most current release for OWASP Top 10:
Current OWASP Top 10 List Released for 2021-2022:
- Broken Access Control
- Cryptographic Failures
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
Automated vs. Manual Web Application Penetration Testing
The expert penetration testers at Artifice Security use automated scanners at the beginning of the assessment (10%) and then pivot into manual penetration testing for the remaining part (90%). Knowing the web application’s context, we can provide penetration tests geared to your individual security needs and make it relevant to your user base.
Web Application Penetration Test Methodology
After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. As a manually-performed penetration testing company, we guarantee that no false positives will be in your report, and we provide proofs-of-concept that you can verify.
Our security experts are diverse with experience working as system administrators, web developers, network engineers, and cloud specialists to military veterans and former NSA employees who held Top Secret clearances. Artifice Security consultants have also taught and spoken at cybersecurity conferences and created tools used by many penetration testers today. Each of our consultants is not only highly passionate about security, but they are also highly credentialed.
Define the Scope
Before the start of the penetration test, Artifice Security will collaborate with your team to determine the exact scope of your web application. We will communicate with your team to assess your application’s size, complexity, framework, roles, and how it is supposed to function normally.
- Determine which applications are needed for testing to include domains and IP addresses for the host systems
- Evaluate which directories or files, if any, are excluded from testing
- Determine penetration testing performed in production or test/QA environment
- Determine testing dates and times for the penetration test
- Exchange key personnel and emergency contact information for any critical findings found.
Information Gathering / Recon Phase
During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your business and show you what anonymous information is out there on the Internet. This targeted intelligence includes the following checks:
- Searches for documents such as PDF, DOCX, XLSX, and PPT documents that may contain exposed sensitive or customer information without your knowledge
- Searches on the Internet and Darkweb for leaked credentials contained in password breach databases
- Searches in repositories such as Github and other developer forums that may contain sensitive data related to your web application or organization
- Checks to find similar domain names as yours to determine your risk to phishing (risks to domain spoofing)
- Exposed robots.txt file to find potential hidden directories and files.
The enumeration phase in a web application penetration test is crucial for gathering as much information as possible about the target system to understand its architecture and functionality. This phase often follows the initial reconnaissance phase, identifying various resources, user roles, endpoints, and application workflows. Techniques like directory brute forcing may be employed to discover hidden directories and files. At the same time, tools such as Burp Suite could be used to automate the crawling of the application to identify parameters, endpoints and HTTP methods supported.
- Map out and crawl through the application using a proxying tool
- Enumerate all directories and subdomains
- Search for possible hidden directories and files
- Perform subdomain takeover checks
- Check cloud services for misconfigurations (e.g., publicly exposed S3 buckets)
- Check all possible open ports and services on the host server
- Determine frameworks in use and associated software and libraries in use
- Research and correlate known vulnerabilities for libraries and services used by the application
Attack and Exploitation Phase
- Configuration and Deployment Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Session Management Testing
- Data Validation Testing
- Error Handling Testing
- Cryptography Testing
- Business Logic Testing
- Client-Side Testing
- API Testing
The report begins with an executive summary which gives a layman’s explanation of the findings and conveys the overall risk to your web application(s) and organization. In addition to a summary of findings, we also provide a list of positive results found during testing. Next, the report explains how we determine criticality and risk for each discovery so you can better understand how we prioritize findings and how we rate severity for each vulnerability.
Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.
Remediation Testing (Retesting)
As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your web application after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your web application.
Frequently Asked Questions
What information is needed for a web application penetration test?
To start a web application penetration test, we need to scope the application properly. The scoping process determines how long it will take to perform the penetration test based on the size and complexity of the web application. We need access to the web application and credentials if it is an authenticated web application for testing. Additionally, it helps to know if your organization hosts the application in the cloud and if there are any third-party APIs or connections within the web application.
Why is manual penetration testing important for a web application penetration test?
Many areas of a web application need manual techniques performed. For example, the information-gathering phase needs to be done manually by a consultant when starting a web application penetration test. This information can reveal potential vulnerabilities such as past compromises or exposures that were made public.
If you solely rely on automated scanners, your results will also have many false positives and worse, false negatives. With manual penetration testing, all findings are 100% proven.
Additionally, an automated scanner might determine if anti-CSRF (Cross-Site Request Forgery) tokens are used. However, there are no ways to determine if CSRF vulnerabilities exist without manually exploiting the web application.
When testing session management vulnerabilities, the consultant will attempt to exploit cookies to move into other accounts or to escalate privileges as an administrator.
Lastly, automation of business logic abuse cases is not possible. Business logic testing includes uploading malicious payloads to the web application, forged requests, integrity checks, process timing attacks, and circumvention of workflows.
Will the penetration test affect the performance of my web host server?
Is it best to perform the web application penetration test against a production or test environment?
While a test environment is preferred, Artifice Security regularly performs web application pentests against production environments without issues. Artifice Security has vast experience testing both types of environments.