Website, Web Application & Web Server Penetration Testing
The Threat: Website and Web Application Security Risks
Attacks against web applications constitute more than 60% of the total attack attempts
observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into
malicious websites serving content that contains client-side exploits.
How do you answer these questions?
- Are your web servers vulnerable to attack?
- Could an attacker obtain credit card or other information from your back end server?
- Could your web server be used as an entrance point to get deeper into your network?
- Is your web site vulnerable to cross-site scripting or SQL injection?
The Solution: A Website & Web Application Penetration Test
Website, Web Server & Web Application Penetration Testing Methodology
Our website and web application penetration testing services are conducted by skilled professionals
using the latest tools, best practice and our own proprietary testing techniques.
- The majority of the exercise is a manual process involving multiple phases, each tailored to the nature and purpose
of your application.
- Whilst automated software forms part of our toolset, we believe there is no substitute for an intelligent, experienced
and informed approach using skills honed over many years and hundreds of tests.
- Initially the application will be tested from an unauthenticated (anonymous) perspective to simulate an opportunistic
attack. This phase will reveal vulnerabilities typically associated with misconfigurations and issues such as SQL injection
and cross-site scripting.
- We will then conduct a series of detailed, creative tests using valid credentials. These tests will disclose deeper
problems such as business logic errors, authentication defects, and privilege escalation (whether a user can access
another account, or gain administrative access to part or all of the application).
- We will also vulnerability scan the underlying web server platform for flaws that may not be apparent at the
- All identified vulnerabilities are verified to remove false positives and are exploited to demonstrate the real risks
and impact of an attack.
- Our test methodology has been informed by:
- The Open Web Application Security Project (OWASP)
- The ISO 27001 standard, particularly the sections relating to publicly available information
- Guidance offered by manufacturers and trusted third parties
- Our technical approach focuses on these key areas:
||Identify application entry points, test for web application fingerprint, application discovery,
analysis of error codes
||SSL/TLS testing, backup and unreferenced files, admin interfaces, HTTP methods, cross-site scripting
||Credentials via an unencrypted channel, user enumeration, bypass authentication schema, logout, browser
||Session management schema, cookie attributes, session fixation, cross-site request forgery
||Path traversal, privilege escalation
||Shopping cart functionality, payment card transaction, application-specific business logic
||Cross-site scripting (reflected and stored), SQL injection
||Identify management services, TCP and UDP services, security vulnerabilities
At First Base Technologies we pride ourselves in being with you every step of the way in securing your websites and applications from attack.
You can read our FAQ on penetration testing and vulnerability analysis here
See what our clients say about us here
+44 (0)1273 45 45 25