Standards & Certifications

Web Application Penetration Testing

Web application penetration testing is a technique for testing the security of web applications. The security of a web application is evaluated through an active analysis of the vulnerabilities.

The aim is to identify and exploit as many weak points and security gaps as possible. The implementation is similar to a penetration test and aims to penetrate the web apps using penetration attacks.

Table of Contents

Web Application Pentest

In this process, manual and automated testing methods are employed to identify vulnerabilities in various aspects of a web application. The tests involve executing well-known attacks such as SQL injection or denial of service attacks on the application. This assesses both the stability and resilience of the application. Additionally, there is a focus on session management to potentially obtain user data, such as victims' login credentials (Session Hijacking).

What is the goal of web application penetration testing?

The primary outcome of Web Application Penetration Testing is to identify security vulnerabilities throughout the web application and its components (source code, database, back-end network, interfaces/APIs). This allows for a thorough examination of the web application for errors and the opportunity to address and rectify weaknesses. The end result is a summary of discovered security vulnerabilities or weaknesses and an assessment of their impact on the web application. Additionally, it includes recommendations for technical solutions to mitigate or resolve the issues.

Would you like to find out how our action plan is designed and how you can use it?

Does Web App Penetration Testing include API testing?

APIs are often a part of web applications or web architectures, and if they exist or are included in the assessment, we thoroughly test them as part of a Mobile or Web Application Penetration Test.

For dedicated or custom-developed APIs, it is generally recommended not to test them solely in a black-box approach but to obtain API documentation.

Which areas or functions are tested during API testing?

Basically the same as any web application pentest if available, such as:
• Session management testing
• Input validation testing
• Authentication & authorization testing
• Etc…

We would be happy to discuss company-specific details in person!

OWASP Web Application Penetration Testing

What is the OWASP Methodology?

With the ProSec® Web Application Penetration Test, we work according to the OWASP (Open Web Application Security Project) Methodology (currently version 4.2). You can find the detailed testing methodology here. We check all areas, functions and interfaces of your web application, your web service or associated interface systems. We cover the following web service and application focal points, among others:

  • Java & JVM penetration testing
  • Angular application-based penetration tests
  • Redux application-based penetration tests
  • JavaScript application-based penetration testing
  • Python application-based penetration tests
  • Go application-based penetration tests
  • SOAP API's
  • REST API's
PSN Pentester Office

What is the OWASP Top 10 myth all about?

Company tenders often contain specifications that test according to the "OWASP standard". Firstly, we would like to point out that OWASP is not a standard. On the other hand, the desired OWASP level often turns out to be a reduced "OWASP Top 10" level - i.e. the 10 security gaps and vulnerabilities that were identified in the last year.

We distance ourselves from such "penetration tests" because they offer little added value for IT security and do not even begin to meet the quality standards of our penetration testing. As a result, we categorically reject OWASP Top 10 Penetration Tests.

Agile Penetration Testing

Since 2017, we have also been offering agile penetration tests, following the principles of your software development. Please reach out to us for further details, as we are unable to provide them here for competitive reasons.

Web application architecture penetration testing

PSN Pentester Office

In addition to the classic web application & web service penetration test, we also offer the associated web application architecture penetration tests:

  • Amazon AWS Penetration Testing
  • Microsoft Azure Penetration Testing
  • JBoss penetration testing
  • Weblogic penetration tests
  • Tomcat penetration testing
  • Apache HTTPd penetration tests
  • Microsoft IIS Penetration Test
  • Language-based embedded web server penetration tests
  • MySQL penetration testing
  • NoSQL
  • Oracle SQL penetration testing
  • PostgreSQL penetration testing
  • CouchDB Penetration Testing