Web Application Penetration Testing is one of the application security services (Application Security Assessment) suggested by ISGroup.
The web applications are nowadays predominant and increasing sophisticated and critical for on-line businesses.
We will analyze all the critical components of a web portal, an E-Commerce application or any other web platform.
By using manual techniques and hundreds of specific tools, the tester is able to identify evident and hidden issues.
As for client/server applications, web applications generally suffer of improper handling of client requests thanks to weak validation and controls implemented during development.
Because of their own nature, web applications are completely exposed and accessible. The ''security through obscurity'' approach is impossible and resistant application code is paramount.
Additionally, Web applications process data from HTTP requests, a protocol that permits a myriad of encodings and different encapsulations.
A Web Application Penetration Test is the simulation of an attacker against a website, portal or web application. Initially the testing consists in identifying all the resources exposed on the target.
At the same time the auditor will perform a business logic analysis to verify that there are no conceptual problems impacting security.
At this point, before testing the actual web application, the infrastructure is checked to look for known and unknown vulnerabilities.
Once some valid attack points are spotted (entry points) we can proceed with the actual hack attempt. The goal is an extensive endangerment, as much deep and vast as possible.
Afterwards, both manually and with the help of tools, each parameter is tested with defined attack vectors. Generic attack techniques for the given platform will also be executed.
If some sort of access is obtained we will perform normally unauthorized and unexpected actions, but still inoffensive for the system and application. This is in order to create an evidence of exploitability. An action could be to dump data from a backend database or access files and sources from the disk. With proper authorization can extend the scope of the test and modify information or obtain the full control of the machine and adjacent ones.
The Report is a simple and detailed document that summarizes the results of the activity and it is divided in three different areas, as described previously:
It is placed at the beginning of the Report and it is no longer than one page. It consists in a non-technical overview, destined to Management.
It consists in a technical part describing the discovered vulnerabilities and their impact in detail. It is dedicated to the Security Manager.
A technical section with detailed and precise instructions on how to resolve the identified problems. Dedicated to the System Administrator.
Working with us is pretty simple, just call the number (+39) 045 4853232 or send an e-mail so that we can get to know each other and discuss about your IT Security needs.