Web Application Penetration testing
Web applications are difficult to secure, and often contain large amounts of sensitive data. For these reasons, web applications are a prime target for malicious hackers and require specialized testing to ensure proper security. Web application penetration testing is specifically designed to uncover software vulnerabilities in modern web applications and provide recommendations to help improve security.
An application-layer penetration test is most commonly used to test the following types of applications:
- Custom or “in-house” web applications
- Custom web services/API’s (e.g. SOAP, REST)
- Custom software integrations of Commercial Off-The-Shelf (COTS) Software
Application Layer Penetration Test Methodology Overview
With a application-layer penetration test, Tanner’s Information Security team will help identify both common and application-specific vulnerabilities that exist in using custom developed software. While we utilize automated scanning tools to improve testing efficiency, our methodology is heavily focused on manual testing and verification techniques. Web applications require manual testing because many application-layer vulnerabilities are logical and systematic flaws in the code that are often overlooked during and automated testing. If exploited, these types of vulnerabilities can be the most damaging.
Tanner’s web application penetration testing begins with a network/operating system review to verify the underlying systems are configured securely. After performing initial system-wide tests, Tanner’s penetration testing team will focus on the application layer (layer 7), which requires significant attention and accounts for the majority of the time allocated to these engagements.
Tanner’s team will first assume the role of an anonymous attacker who does not have valid credentials to the application, to verify if the application is accessible to rogue users. If user credentials are provided and authenticated testing is in the scope of the project, our team will authenticate to the application to determine if valid users can:
- Exploit vulnerabilities
- Gain access to the underlying infrastructure
- Access unauthorized information
- Vertical privilege escalation
For role-based applications and systems, testing is conducted across all permission levels and authorization policies. This will not only ensure coverage across the entire application, but will include in-depth testing of complicated authorization controls.
Penetration Test Deliverable
The deliverable for this engagement will consist of a report highlighting the gaps identified from the tests along with Tanner’s prioritized recommendations to help remediate the identified risks and improve the overall security of the application. Our suggestions will take into consideration the company’s size and the sensitivity of the data, to determine the importance and urgency of each recommendation.