• +44 (0)1273 454525
  • Call us
  • info@firstbase.co.uk
  • Email

Website, Web Application & Web Server Penetration Testing

The Threat: Website and Web Application Security Risks

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits.

  • Are your web servers vulnerable to attack?
  • Could an attacker obtain credit card or other information from your back end server?
  • Could your web server be used as an entrance point to get deeper into your network?
  • Is your web site vulnerable to cross-site scripting or SQL injection?

How do you answer these questions?

The Solution: A Website & Web Application Penetration Test

Website, Web Server & Web Application Penetration Testing Methodology

Our website and web application penetration testing services are conducted by skilled professionals using the latest tools, best practice and our own proprietary testing techniques.

  • The majority of the exercise is a manual process involving multiple phases, each tailored to the nature and purpose of your application.
  • Whilst automated software forms part of our toolset, we believe there is no substitute for an intelligent, experienced and informed approach using skills honed over many years and hundreds of tests.
  • Initially the application will be tested from an unauthenticated (anonymous) perspective to simulate an opportunistic attack. This phase will reveal vulnerabilities typically associated with misconfigurations and issues such as SQL injection and cross-site scripting.
  • We will then conduct a series of detailed, creative tests using valid credentials. These tests will disclose deeper problems such as business logic errors, authentication defects, and privilege escalation (whether a user can access another account, or gain administrative access to part or all of the application).
  • We will also vulnerability scan the underlying web server platform for flaws that may not be apparent at the application layer.
  • All identified vulnerabilities are verified to remove false positives and are exploited to demonstrate the real risks and impact of an attack.

Our test methodology has been informed by:

  • The Open Web Application Security Project (OWASP)
  • The ISO 27001 standard, particularly the sections relating to publicly available information
  • Guidance offered by manufacturers and trusted third parties

Our technical approach focuses on these key areas:

Information GatheringIdentify application entry points, test for web application fingerprint, application discovery, analysis of error codes
Configuration ManagementSSL/TLS testing, backup and unreferenced files, admin interfaces, HTTP methods, cross-site scripting
AuthenticationCredentials via an unencrypted channel, user enumeration, bypass authentication schema, logout, browser cache management
Session ManagementSession management schema, cookie attributes, session fixation, cross-site request forgery
AuthorisationPath traversal, privilege escalation
Business LogicShopping cart functionality, payment card transaction, application-specific business logic
Data ValidationCross-site scripting (reflected and stored), SQL injection
Server ConfigurationIdentify management services, TCP and UDP services, security vulnerabilities

Contact us for more information

Call us on +44 (0)1273 454525 or use our enquiry form