Penetration Testing

What is Web Application Penetration Testing?

Web Application Penetration Testing (a.k.a. Application Pentest, Application VAPT, Application Pen Testing) is a simulated cyber-attack against a web application to check for exploitable vulnerabilities. Web applications are the most fragile entry points to breach into organization’s network infrastructure as it offers public access. Public facing applications faces the highest risks of being breached and lead to malicious attackers into the system.

logo-crest-2

is a CREST accredited Penetration Testing provider.

It is also important to note that automated testing is complimented by manual testing to achieve compliance and full coverage.

img-web-application

Objective of this assessment

Revel real-world opportunities targeted by hackers

Identify application security flaws present in the environment

Understand the level of risk for your organization

Approach & Methodology

icon-Information-Gathering

Information Gathering

icon-Vulnerability-Analysis

Vulnerability Analysis

icon-Exploitation

Exploitation

icon-Post-Exploitation

Post-Exploitation

icon-Reporting

Reporting

’s application penetration tests methodology is based upon industry standard such as Open Web Application Security Project (OWASP), CWE, SANS, NIST, PTES and OSSTMM. It covers the classes of vulnerabilities including, but not limited to:

Buffer overflow
Insecure access control mechanism (e.g. account privilege escalation, failure to restrict URL access, input validation etc.)
Malicious code injection (e.g. SQL injection, Cross-Site Scripting and etc.)
Cross-Site Request Forgery (CSRF)
Cross-Frame Scripting (CFS)
Insecure authentication and session management
Insecure direct object references
Insecure cryptographic storage
Insufficient transport layer protection (e.g. enabling of weak cipher suite in the SSL protocol)
Insufficient transport layer protection (e.g. enabling of weak cipher suite in the SSL protocol)
Invalidated redirects and forwards
Improper error and exception handling
Security misconfigurations
Application logic flaws
Application logic flaws
Transaction testing to ensure desired application performance run with no ability to be abused by users; and
Sensitive data exposure

The vulnerabilities are evaluated using Common Vulnerability Scoring System) (CVSS) method to assess and evaluate the risk.

’s approach Penetration Testing with a rigorous manual testing technique:

Phase 1

Review the scan results (analyze the findings and remove any false-positive)

Phase 2

Further exploit the system to discover any new vulnerabilities that are not discovered in Phase 1. And this takes 80% of the overall entire assessment.