cybback

Web Application Penetration Testing


Web applications get secured when Cyber Defence Solutions steps in.

Web Application penetration testing is process of identifying security vulnerabilities and business logic issues during the development lifecycle of a web app.
We also provide VAPT service on Thick/Thin client which includes Buffer overflow exploit on thick client, Business/Process logic validation on thick/thin client.




Web Application Penetration Testing METHODOLOGY

Defining scope
Reconnaissance and enumeration
Mobile app API analysis
static and Dynamic analysis
Gaining Access-Exploitation
Privilege Escalation
Result analysis
Report generation
Mitigation proposal
Fix re-verification

What is Web application penetration testing ?

Web Application penetration testing is process of identifying security vulnerabilities and business logic issues during the development lifecycle of a web app. A web application might be vulnerable to following vulnerabilities:




  • Buffer Overflow
  • Credential Management
  • CRLF Injection
  • Cache Poisoning
  • DNS Poisoning
  • More than XSS with Business Logic Errors
  • OS Command Injection
  • Remote Code Execution
  • SQL Injection
  • XML External Entities (XXE) Injection
  • Privilege Escalation
  • Server-Site Request Forgery
  • Insecure Direct Object Reference
  • Race condition Vulnerability
  • Session Management vulnerabilities
  • Cross-Site Request Forgery (CSRF)
  • Java, .NET Deserialization vulnerability
  • Invalidated Redirects and Forwards
  • Sensitive Data Exposure
  • Application Access Control Issues
  • DLL injection
  • Many more……
extensions

Internal Pen-Test

internal pen-testing takes a different approach -- one that simulates what an insider attack could accomplish. The target is typically the same as external pen-testing, but the major differentiator is the "attacker" either has some sort of authorized access or is starting from a point within the internal network. Insider attacks have the potential of being much more devastating than an external attack because insiders already have the knowledge of what's important within a network and where it's located, something that external attackers don't usually know from the start.



extensions

External Pen-Test

External pen-testing is the traditional, more common approach to pen-testing. Black Hats are always keenly looking for vulnerable public acing applications. So in this case we as a security consultant aims to target the system from black hat’s perspective and find out flaws in it which gets reported. It addresses the ability of a remote attacker to get to the internal network. The goal of the pen-test is to access specific servers and crown jewels within the internal network by exploiting externally exposed servers, clients, and people. Whether it's an exploit against a vulnerable Web application or tricking a user into giving you his password over the phone, allowing access to the VPN, the end game is getting from the outside to the inside.



API Pen-Test

API is the integral part of a web application. API penetration testing deliver quality results while decreasing your costs for loosing data. With decades of security experience, our Pen testers identify critical to low vulnerabilities in API and provide you the strategic mitigation plan.