The web penetration testing methodology combines both black box (no knowledge of the target system) and white box approach (partial knowledge of the system) and it has been developed around the following industry standards: OWASP Testing Guide, for web application penetration testing.
Step 1 – Application Walkthrough.
- Understanding the business or operational objectives of the application including transactions, workflow and processes.
- Reviewing the type of application, the design of the application pages and the input and output components.
- Identifying the critical data, private personal/consumer data, or sensitive technical information.
Step 2 – Vulnerability Identification.
- Usage of automated tools to provide a baseline breadth coverage to ensure that all components of applications are analysed.
- Performing manipulative, aggregation and iterative testing to determine the application exposure to attacks.
Step 3 – Vulnerability Exploitation.
- Analysis of vulnerabilities identified to identify the chances of exploitation and the type of payload and attack methodology.
- Usage of manual testing techniques along with proprietary knowledgebase of application attack profiles to test for business logic exposures and verify results from automated tools.
Step 4 – Reporting
- Upon completion of 3 steps we will conduct a thorough analysis of the results. In addition, we will facilitate a discussion with client to discuss our preliminary results and ensure we have completed a thorough analysis. This discussion will enable us to place our results into a business perspective.
- Following the discussion, we will recommend specific approaches to fix vulnerabilities.
The test will help to identify vulnerabilities in relation to:
- SQL Injection or malicious code injections
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Improper Authentication and Session Handling
- Security Misconfiguration
- Improper URL Access
- Insufficient Transport Layer Protection
- Broken Cryptography
- Insecure Direct Object References
- Insecure Redirects and Forwards
- Improper error and exception handling