Web Application Penetration Testing is a technique for testing the security of web applications. Thus, the security of a web application is evaluated through an active analysis of vulnerabilities.
The goal is to identify and exploit as many vulnerabilities and security holes as possible. The implementation is similar to a penetration test and aims to penetrate the web apps with the help of penetration attacks.
Here, manual or automated test procedures are used to identify vulnerabilities in different areas of a web application. During the tests, known attacks such as SQL injection or denial of service attacks are executed on the application. Stability and integration are tested for consistency. Another focus is on session management in order to obtain user data such as victim credentials (session hijacking).
Identify security vulnerabilities in the entire web application and components (source code, database, back-end network) in order to subsequently check the web application for errors and eliminate vulnerabilities.
The end result is a summary of any security vulnerabilities or weaknesses found and an assessment of the impact on web application. This is accompanied by a recommendation of technical solutions to mitigate or fix the problem.
For the ProSec® Web Application Penetration Test, we work according to the OWASP (Open Web Application Security Project) Methodology (currently version 4.2). You can find the detailed test methodology here. We check every OTG of your web application or web service. We cover the following web service and application areas, among others:
Often, company tenders contain specifications that testing must be performed according to the "OWASP standard". On the one hand, we would like to make it clear once again that OWASP is not a standard. On the other hand, instead of the desired OWASP level, you often find only OWASP Top 10 - i.e. the 10 security gaps and vulnerabilities that were identified last year.
We distance ourselves from such "penetration tests", as they offer little added value for IT security and do not even begin to meet the quality standards of our penetration testing. As a result, we reject OWASP Top 10 Penetration Tests across the board.
We are also the first company in the world to offer agile penetration testing since 2017, based on your software development. For competitive reasons, please contact us for more details.
In addition to the classic Web Application & Web Service Penetration Test, we also offer the related Web Application Architecture Penetration Tests: