First Base Technologies

Contact Us
Phone 01273 454525
email

Website, Web Application & Web Server Penetration Testing



The Threat: Website and Web Application Security Risks

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits.

  • Are your web servers vulnerable to attack?
  • Could an attacker obtain credit card or other information from your back end server?
  • Could your web server be used as an entrance point to get deeper into your network?
  • Is your web site vulnerable to cross-site scripting or SQL injection?
How do you answer these questions?

The Solution: A Website & Web Application Penetration Test

Website, Web Server & Web Application Penetration Testing Methodology

Our website and web application penetration testing services are conducted by skilled professionals using the latest tools, best practice and our own proprietary testing techniques.

  • The majority of the exercise is a manual process involving multiple phases, each tailored to the nature and purpose of your application.
  • Whilst automated software forms part of our toolset, we believe there is no substitute for an intelligent, experienced and informed approach using skills honed over many years and hundreds of tests.
  • Initially the application will be tested from an unauthenticated (anonymous) perspective to simulate an opportunistic attack. This phase will reveal vulnerabilities typically associated with misconfigurations and issues such as SQL injection and cross-site scripting.
  • We will then conduct a series of detailed, creative tests using valid credentials. These tests will disclose deeper problems such as business logic errors, authentication defects, and privilege escalation (whether a user can access another account, or gain administrative access to part or all of the application).
  • We will also vulnerability scan the underlying web server platform for flaws that may not be apparent at the application layer.
  • All identified vulnerabilities are verified to remove false positives and are exploited to demonstrate the real risks and impact of an attack.
  • Our test methodology has been informed by:
  • The Open Web Application Security Project (OWASP)
  • The ISO 27001 standard, particularly the sections relating to publicly available information
  • Guidance offered by manufacturers and trusted third parties
  • Our technical approach focuses on these key areas:


Information Gathering Identify application entry points, test for web application fingerprint, application discovery, analysis of error codes
Configuration Management SSL/TLS testing, backup and unreferenced files, admin interfaces, HTTP methods, cross-site scripting
Authentication Credentials via an unencrypted channel, user enumeration, bypass authentication schema, logout, browser cache management
Session Management Session management schema, cookie attributes, session fixation, cross-site request forgery
Authorisation Path traversal, privilege escalation
Business Logic Shopping cart functionality, payment card transaction, application-specific business logic
Data Validation Cross-site scripting (reflected and stored), SQL injection
Server Configuration Identify management services, TCP and UDP services, security vulnerabilities


Hover over each segment of the diagram below to read about each stage of the testing process.

At First Base Technologies we pride ourselves in being with you every step of the way in securing your websites and applications from attack.

More Information

You can read our FAQ on penetration testing and vulnerability analysis here

See what our clients say about us here


Contact Us
+44 (0)1273 45 45 25

CREST


ISO 27001


ISO 9001


CREST Cyber Essentials

E&OE
© 2001-2015 First Base Technologies LLP - All Rights Reserved.
First Base Technologies LLP is a limited liability partnership registered in England & Wales, number: OC352070
Website designed and mastered by
didilogix


W3 Org says this page is HTML 4.01 compliant