What is Web Application Penetration Testing?

Web application penetration testing is a point-in-time security assessment of a web application that provides a thorough analysis of any security issues within the web application. Penetration testing simulates a real-world attack, identifying security issues within your organisations web applications, website and web services such as REST and SOAP API’s etc. Identified security issues are documented in a severity report with clear remediation instructions, thereby providing the Client to fix the identified security issues. An old cliché that bodes well here is ‘A stitch in time saves nine’. There are numerous case studies of all sorts of companies, be it big or small, being wiped out of their existence because of a small data breach. Our services are simply oriented towards you not becoming such a case study.

Why Web Applications are so prone to cyber-attacks?

Most web applications are extremely complex being made up of a variety of technologies like different programming languages, web server software, operating systems, dynamic web content languages and database systems. The mix of technologies can be easily bifurcated into Client side ones and those on the server side ones.

Some of the Client side technologies can be:

  1. Browser code: HTML 5/ XML
  2. Languages: Javascript/ ActiveX/ Flash/ Silverlight/ Java
  3. Data formats: JSON/ XML

Some of the Server side technologies can be:

  1. Web server software: Apache/ Nginx/ Microsoft IIS
  2. Dynamic web content implementation languages: PHP/ .NET/ Django/ Ruby on Rails
  3. Database systems: MySQL/ Oracle/ Microsoft SQL
  4. Operating systems: Windows/ Linux/ Sun solaris

Use of so many interacting technologies in a web application makes it a favorite haunt of hackers who look for small slippages to gain access to unauthorized data or control.

What kind of attacks are possible on a web application?

Attack vectors can be bifurcated into Client side attacks and Server side attacks.

  1. Client side attacks try to exploit data flow from the browser leading to attacks like Cross side scripting, hijacking browser session, phishing etc. Most of the Client side attack vectors originate out of poor validation of inputs in the web app. For example form field injection attacks, where additional form fields are added to the valid form fields in a browser with the purpose of tricking the user into revealing confidential information, can lead to compromising of user’s passwords, ATM pins or credit card numbers.
  2. Server side attacks try to compromise the web server or gain access to user databases and can be truly devastating in terms of the scale of impact. Such attacks allow the attacker to access files containing confidential user information or modify the web application behavior in a malicious way thereby infecting the host. For example SQL injection attacks can be executed on the server due to poor server side validation leading to compromise of the host database. Most server side attacks are on account of poor validation, insecure configuration, poor coding or insufficient patching.

 How penetration testing helps in tackling web application security issues?

Getting a penetration test is a systematic and thorough way of discovering most of the known and unknown vulnerabilities in a web application. A highly skilled security expert spends hours testing your web application for vulnerabilities as per the OWASP standards. OWASP has become a benchmark for quality penetration tests.

While no amount of testing would make your web application hackproof but a good penetration test easily helps in nullifying majority of the attack vectors possible.

Services offered by PentestO

PentestO’s web application penetration testing services comprises the following phases:

  1. Data Collection/Recon – Different tool services as well as manual data collection shall be attempted. For example identifying the DB versions, table names, database configurations, software and hardware used, or even about third party plugins etc.
  2. Vulnerability Assessment – Automated tools shall be used to quickly identify vulnerabilities.
  3. Exploitation – A expert penetration tester will launche an attack on the target system in order to exploit the known vulnerabilities and discover unknown ones. OWASP to be followed.
  4. Reporting – A detailed report including the technical vulnerabilities, their impact on the business along with possible remediation steps shall be submitted.
  5. Retesting– Retesting shall be provided, completely free of cost, to ascertain if the identified vulnerabilities have been fixed.

How it works?

  1. Pre-engagement Phase: We provide quotes/assessment for our testing services which are not charged. If desired by the Client, we sign an NDA. Scope of Work shall be provided in the Quote. Based on the Quote, the Client can provide us the Letter of Award, along with the necessary permissions.
  2. Engagement Phase 1: Discussions are help with the assignment management to plan the penetrating testing and conduct it as per the agreed schedule. A short technical report is issued within 24 hours of conclusion of penetration testing, in case the issues identified are considered critical.
  3. Engagement Phase 2: A detailed report, as per the Scope of Work, is issued within 1 week (7 calendar days) after the conclusion of Phase 1. We expect the Client to make the complete payment within 1 week after the submission of the detailed report.
  4. Post engagement Follow-up: In case the Client desires, free retesting is provided to the Client as per a mutually agreed schedule. Free retesting shall be restricted to the issues identified in the report and can be availed upto 4 weeks after the submission of the detailed report.

Our charges for Web Application Penetration Testing

Testing Type Starting Price (USD) Description
Web Application $999 Price for a exploitative, manual web application penetration test for a single web application consisting of less than 25 static or dynamic pages and 1 level of authentication. The web app security test includes file upload testing and all areas of the OWASP testing methodology.

Why should you hire PentestO?

One of the characteristics that sets us apart from other firms is the manner in which we structure our Penetration Testing teams. Most of the penetration testing firms are purely staffed with technical security engineers who engage with the Client. At PentestO, we pride ourselves in having Engagement Managers who have had at least 5 years of industry experience and a thorough understanding of application security. As a result we really understand your business and your risks and deliver you get a really mature perspective that your top management can appreciate.

Our penetration testers are certified and have at least 5 years of web app penetration testing experience who have excellent demonstrated ability of finding web app vulnerabilities. Our testers have their names in several Hall of Fame’s of the likes of Google and a demonstrated record of winning bounties in companies like Amazon, Microsoft, Facebook, MasterCard, Adobe, Blackberry, LinkedIn etc.

All this comes at a cost that no one matches in the entire testing industry.

Need any more reasons to hire us?

 

Companies where our experts have found vulnerabilities in