Web Application penetration testing
Due to new technologies development, WWW applications are moving online, behind borders of company. Their significance rapidly increases and they often represents the core business (e.g. internet banks, e-shops, auction houses, etc.) Attackers, who are aware of application’s significance, try to gain sensitive data through application’s weak points or to make them unavailable. If you carry on or use this sort of applications, consider their security, hacker attack resistance and checking out other possible threats.
Our specialists check out your application’s ability to resist common attacks and threats. Our audit covers applications and related operation system, databases and other supporting services (e.g. WWW server, application server, etc).
Test description
Test represents WWW application attack simulation from outside, i.e. consultant simulate potential attacker’s behaviour during an attack from the Internet.
Web applications are mostly made bespoke, so there are also bugs made bespoke.
There are two possible approaches to the tests (it is possible to mix it up):
Anonymous level testing – from the level of a common internet user (without an user account),
Testing with knowledge of access information (like username & password or certificate) – in this case we explore, if it is possible to escalate privileges and thus to misuse the regular user account.
Methodology
DCIT uses our own methodology based on well-known OWASP Top 10 standard.
| Type of Attack | Description |
|---|---|
| SQL injection | Inconsistent input validation allows SQL query manipulations and thus gain irregular access to data and/or even run own code on the database server. |
| Cross site scripting (XSS) | WWW server suffering that weakness can be misused for specific type of attack, based on ability of attacker to run code (usually JavaScript) on the victim’s browser whilst that server is considered by victim as trustworthy. |
| URL tampering | URL structure manipulating and/or parameters passing (via URL) can cause unexpected behaviour of application. |
| Hidden field manipulation | An attack against specific HTML form fields (HIDDEN fields) invisible for regular user, where frequently sensitive data are passed. |
| HTTP response splitting attack | This vulnerability of server allows to attacker splits HTTP header by the undesirable way and creates fake response of the server. |
| Cross site tracing (XST) | Possibility of misuse TRACE method for gathering sensitive data from HTTP headers (session cookies, auth. information) |
| Session hijacking | Gain unauthorised access by hijacking session (for example stealing session cookie) |
| Cookie poisoning | Cookie manipulation within HTTP session. Counterfeiting cookie can undesirable affect the application behaviour. |
| Brute force attacks | Usually used for guess username/password, cookie, URL parameters etc. |
| Force-full (direct access) browsing | Direct access to non-published or non-linked pages/files. Bypass application logic. |
| Attacking SSL | Attack against known implementation vulnerabilities of SSL protocols. |
| Bypassing Client-Side Validation | Testing application resilience when validation on the browser (client) side is turned off or bypassed. |
Results of the audit and recommendations are parts of the final report. Results are also presented on management level in customer’s seat.
Do not trust to your provider’s proposition.
Independent audit has already discovered serious defects threatening to cause financial loss or an injury to company’s reputation. WWW applications security audit thus provides important protection of your projects.