Web Application Penetration Testing

Web technologies have advanced in recent years and so have the Web Applications that we all use daily. With this advancement and reliance on web technologies, we have also been exposed to cybersecurity risks associated with these applications. Pentest People offer a Web App Security Test as part of our range of Penetration Testing Services, allowing you to avoid any risk of your applications becoming exploited by potential hackers.

One question that often comes up when discussing web application security is whether you should be focusing on automated or manual testing, the answer is both, manual testing encompasses a penetration test and should always be performed regularly on your applications, after this its highly recommended you have regular vulnerability scans against your app (the automated testing). If you want to know more please check our manual vs automatic breakdown

Listen to one of our Web Application experts
breakdown this Pentest People Service

For those hard of hearing we have a transcript at the bottom of this page

Web Application Methodology

Web Applications can use a variety of technologies and development frameworks, so Pentest People’s exact technical approach to each Web Application Penetration Test may be very different. However, there are certain fundamental areas that are examined, which are as follows:

Public Information

Publicly available Information on the target company and application(s) will be gathered and inspected. This information could include DNS records, email addresses, document metadata, website content, and social media posts.

Authentication

Any authentication controls such as login portals will be tested in detail, identifying any vulnerabilities that could be exploited to bypass the control, enumerate information such as valid users, or exploit weaknesses such as lack of anti-automation.

Authorisation

The application’s pages and functionality is mapped from the perspective of the core user profiles (with varying privileges), identifying any discrepancies with access and highlighting potential horizontal and vertical privilege escalation issues.

Session Management

The session management solution is examined in detail to identify vulnerabilities such as session fixation and hijacking, excessive timeouts, concealed sequences and flaws in the randomness of the token.

Input Validation/Sanitisation

All user-controllable input is closely tested to identify any instances of malicious code injection weaknesses. Common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection fall within this category.

Business Logic

The functionality of the application will be examined from a business logic perspective, identifying ‘edge cases’, where users perform an action (or sequence) not foreseen by the developers.

Web Server Configuration

The configuration of the Web server is included in testing to identify any instances of version disclosure, outdated software packages, SSL configuration weaknesses, and unnecessary public facing ports.

What are the Risks?

External facing Web Applications used by businesses are by nature available to all via the public Internet. Their complexity and availability have made them an ideal target for attackers and there have been many publicised data breaches that have been caused by insecure web applications.

Protecting these applications from new threats is a constant challenge, especially for developers who may not be security aware and who are working towards a performance deadline.

How Can Our Web Application Penetration Testing Service Help?

Pentest People can help alleviate the risks associated with IT Security issues by performing regular web app security of your public facing or internal Web Applications to identify the issues and to give you an ability to remediate these before an attacker would exploit.

Pentest People have a professional Web Application Security Testing service that can be used to identify vulnerabilities that exist on your web applications. Pentest People have a wealth of knowledge in the area of Web Application Security Testing and their testers have created and contributed to many open source web application security projects.

This Web Application testing can be performed remotely for external facing web applications or internally at your premises if the application is an internal application. The service would be delivered as part of the Pentest People Penetration Testing as a Service (PTaaS) and full access to the SecurePortal and other complementary tools would be provided.

Find Out More

Remote Internal Application Testing

Traditionally, Internal Web Application Tests have been conducted onsite where a Pentest People Consultant would visit your office and physically connect to the network infrastructure to perform the assessment of the local application that is not publically accessible.

With the issues faced around the Coronavirus situation, Pentest People have released SecureGateway, a technology-led alternative to having a consultant visit site.

Pentest People are offering a Remote Internal Web Application Test where the whole engagement is performed without the need to visit the customer site.

The client can either download a Virtual Machine image that can be installed within the corporate network or be shipped a standalone network appliance.

Both solutions create a secure channel to the Pentest People Security Operations Centre where the assigned consultant can then command the image or appliance in the same way as they would if they had their laptop on site.

All data collected during the test is held securely at our ISO27001 Compliant Security Operations Centre allowing the consultant to perform the assessment and upload the results to SecurePortal for delivery to the customer.

Find Out More

The Web Application Assessment
Allows Access to SecurePortal

Digital Report

Until now, the traditional deliverable from a Penetration Test engagement has been a lengthy 100+ page PDF report.

Pentest People have developed a solution to this issue where you interact with your vulnerabilities within the SecurePortal.

Vulnerability Data

Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape.

Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on an interactive dashboard.

Skilled Consultants

Rest assured that your assessments are performed by qualified Security Consultants.

Our specialised team of security consultants hold industry qualifications such as CHECK Team Member & Team Leader, CCIE, CISSP and CEH.

Web App Testing Overview Transcript

Our team of highly trained Web Application Security Consultants can assess your web applications. We have methodologies that are in line with NCSC and OWASP Top 10 to ensure that we are providing a thorough penetration test for you, our methodology covers but it’s not limited to information gathering, data validation, session management and business logic testing. We also ensure that we are completely testing your access controls so user A can’t see user B’s data or access functionality that they are not supposed to access.

Key Benefits

Understand the web application security issues you face through a very thorough assessment from a qualified security consultant.

Identify Security Vulnerabilities within your Web Applications allowing you to proactively remediate any issues that arise
Improve your security posture, allowing you to reduce the threat of a cyber attack occurring against your business
Comply with various regulatory bodies who mandate regular Web Application Testing be performed within your infrastructure
Be able to prove to your supply chain that you are taking the necessary precautions to ensure your strong security posture
Be able to focus efforts on important security issues by identifying the high-risk items identified in the Web Application report

Frequently Asked Questions About Web
Application Penetration Testing

What is a Web Application Penetration Test?

A Web Application Penetration Testis a consultant-led assessment of the web applications you have asked Pentest People to test. The consultant will use the latest tools and techniques and follow an industry-standard methodology to manually identify vulnerabilities that automated tools could not find.

Do I need a Web Application Assessment?

At Pentest People we feel that any organisation with an external-facing Web Application needs a Web Application Penetration Test.

What the difference between a normal Pen Test and Web App Test?

What is classed as a normal Penetration Tests are usually focussed more around the network infrastructure and hosts rather than web applications. Web Application security is a specialised field and requires specialist consultants who understand computer software architectures in order to achieve a thorough assessment.

What type of Web Applications can be tested?

We can test all of the latest web technologies and web-based applications. Our security consultants are very experienced at such testing and the initial scoping exercise will provide you with an accurate estimation of time required.

Can you test an Internal Web Application?

Yes, we can test an internal application in one of two ways. If possible you can get us remote access via a VPN service so that our security consultant can connect to the application. The second way is where our security consultant visits your site and connects to the internal app in the same way the users would.

What is the deliverable from the service?

The deliverable from this service is a full Web Application Penetration Test Report that is uploaded to our SecurePortal and available for you to interact with. This differs from the competition in the way this is delivered and we believe this is a much clearer way to work with an manage the results of the assessment.