Would you like to find out how our action plan is designed and how you can use it?
Standards & Certifications
Web application penetration testing is a technique for testing the security of web applications. The security of a web application is evaluated through an active analysis of the vulnerabilities.
The aim is to identify and exploit as many weak points and security gaps as possible. The implementation is similar to a penetration test and aims to penetrate the web apps using penetration attacks.
In this process, manual and automated testing methods are employed to identify vulnerabilities in various aspects of a web application. The tests involve executing well-known attacks such as SQL injection or denial of service attacks on the application. This assesses both the stability and resilience of the application. Additionally, there is a focus on session management to potentially obtain user data, such as victims' login credentials (Session Hijacking).
Would you like to find out how our action plan is designed and how you can use it?
APIs are often a part of web applications or web architectures, and if they exist or are included in the assessment, we thoroughly test them as part of a Mobile or Web Application Penetration Test.
For dedicated or custom-developed APIs, it is generally recommended not to test them solely in a black-box approach but to obtain API documentation.
Which areas or functions are tested during API testing?
Basically the same as any web application pentest if available, such as:
• Session management testing
• Input validation testing
• Authentication & authorization testing
• Etc…
We would be happy to discuss company-specific details in person!
With the ProSec® Web Application Penetration Test, we work according to the OWASP (Open Web Application Security Project) Methodology (currently version 4.2). You can find the detailed testing methodology here. We check all areas, functions and interfaces of your web application, your web service or associated interface systems. We cover the following web service and application focal points, among others:
Company tenders often contain specifications that test according to the "OWASP standard". Firstly, we would like to point out that OWASP is not a standard. On the other hand, the desired OWASP level often turns out to be a reduced "OWASP Top 10" level - i.e. the 10 security gaps and vulnerabilities that were identified in the last year.
We distance ourselves from such "penetration tests" because they offer little added value for IT security and do not even begin to meet the quality standards of our penetration testing. As a result, we categorically reject OWASP Top 10 Penetration Tests.
Since 2017, we have also been offering agile penetration tests, following the principles of your software development. Please reach out to us for further details, as we are unable to provide them here for competitive reasons.
In addition to the classic web application & web service penetration test, we also offer the associated web application architecture penetration tests:
Penetration Testing Portfolio
