Over 80% of all compromises are the result of exploited web application vulnerabilities. In many cases the vulnerabilities that result in compromise are entirely missed by conventional testing methodologies (especially methodologies that are dependent on automation). In other cases vulnerabilities are identified but are incorrectly assumed to be non-exploitable due to coding standards and / or protective technologies. For example, a common misconception is that one can use parameterized queries to eliminate all sql injection vulnerabilities. The truth is that if the parameterized queries are not constructed properly then exploitation is often still possible. Another misconception is that Web Application Firewalls protect web applications from attack. The truth is that Web Application Firewalls only defend against attacks that they are programmed to detect but are ineffective at protecting against new attack methodologies..
The biggest risk that an organization can face is assuming that they are secure when in fact they are vulnerable.
Our Web Application Penetration Testing services are derived from the the Open Web Application Security Project (OWASP) and heavily augmented by Real Time Dynamic Testing. OWASP is the de facto standard for designing and testing secure web applications. We focuses on key areas of OWASP that include but are not limited to the following:
AUTHENTICATION
We will classify the information being protected and compare the authentication mechanism(s) to the sensitivity level of that information. During this part of the assessment out team will attempt to find weaknesses in the authentication mechanisms and if possible exploit those weaknesses. We will also verify that the authentication methods that are in place are sufficient for protecting the type of information being protected. Certain key items such as re-authentication for gaining access to different levels of information will also be considered as a part of this assessment.
AUTHORIZATION
We will assess the Authorization controls of the web application to ensure that only authorized users can perform allowed actions within their privilege level, to control access to protected resources using decisions based upon role or privilege level, and to identify areas where privilege escalation attacks may be possible.
BUSINESS LOGIC TESTING
We will assess the business logic of the web application. Business Logic Testing is unconventional as it attempts to disrupt the logic of an application. For example, it the application’s authentication process is set to follow steps 1, 2 and 3, our team will disrupt that flow and force the application to skip a logic step. In many cases this results in an error that can sometimes be exploitable.
SESSION MANAGEMENT
We will assess the Session Management capabilities of the target to ensure that authenticated users have a robust and cryptographically secure association with their session, to enforce authorization checks where appropriate, and to identify points where common web attacks may exist.
DATA VALIDATION
We will assess the target to ensure that it is sufficiently robust to protect against all forms of input data, whether obtained from the user, infrastructure, external entities, or database systems.
INTERPRETER INJECTION
We will assess the target to ensure that it is sufficiently robust to protect against well-known perimeter manipulation attacks that affect common interpreters. These types of attacks are most often Immediate Reflection attacks. An example of this type of attack would be encouraging/forcing a user to click on a URL that would then activate or otherwise manipulate an account. Stored attacks will also be evaluated which involve injection at a previous time whereupon users are affected at a later date.
CANOCALIZATION, LOCALE and UNICODE
We will assess the target to ensure that it is sufficiently robust when subjected to encoded, internationalized and Unicode input. Often times these types of inputs are overlooked when creating a Web Application which enables attackers to manipulate Web Applications by using different types of encoding techniques.
ERROR HANDLING, AUDITING and LOGGING
We will assess the Error Handling, Auditing and Logging capabilities of the target. More specifically our team will ensure that all activities which affect the state or balance of the system are formally tracked, that it is possible to determine where an activity occurs in all tiers of the application, and that logs cannot be tampered with by local or remote users.
FILE SYSTEM
We will assess the File System protection mechanisms that are in place to ensure that access to the local file system or any of the file systems are sufficiently protected from unauthorized manipulation or data viewing.
BUFFER OVERFLOWS
We will assess the target for Buffer Overflow vulnerabilities to ensure that the target does not expose itself to faulty components. These vulnerabilities often times enable attackers to compromise the system and eventually gain administrative levels of access to the system.
ADMINISTRATIVE INTERFACES
We will assess the Administrative Interfaces for the target to ensure that administrative level functions are properly segregated from user activity, that users cannot access or utilize administrator functionality, and to ensure that the interfaces provide the proper auditing and tracking functions.
CRYPTOGRAPHY
We will assess the Cryptographic capabilities of the target to ensure that data is stored and transmitted in the safest possible manner with respect to the applications functions and requirements.
CONFIGURATION MANAGEMENT
We will assess the configuration of the target to ensure that no configuration vulnerabilities exist. We will also assess the configuration of the target to ensure “out of box” security should the target be re-deployed, or replicated. During this stage of the Assessment our team will also target database security and retarget secure information transmission.