Web Application Penetration Testing
- Highly trained and certified penetration testing team
- Proven penetration testing methodology
- Includes retest option to validate your fix actions
- Clear & concise reports with prioritized, actionable items
Web Application Penetration Testing Service
Are your web applications secure? We can validate this for you with a Web Application Penetration Test (Black and Gray Box). Web applications are the most frequently attacked items on the Internet and are often the most insecure.
We emulate an attacker by utilising similar techniques to perform reconnaissance, identify vulnerabilities, and break into your systems. Unlike an attacker, however, we stop our test before exposing sensitive data or doing harm to your environment.
With the Black Box Penetration Test, this means we have unauthenticated access and have little prior knowledge, except the URLs, about the systems in scope. We will also perform a Gray Box Penetration Test of each system, as applicable, after the Black Box Penetration Test. With a Gray Box Penetration Test, we have "user" level knowledge about the application and Standard user access to the Web Application. A Gray Box Penetration Test is used to test an application that supports multiple users by testing authenticated user access to ensure a user on an application cannot access another user's data or escalate their privileges. We log on to the application as that user and perform testing to see if we can perform any of the following:
Horizontal Privilege Escalation: Where an authenticated user can access another user's data. An example of horizontal privilege escalation is a bank application, where an authenticated user's account number shows up in a URL. If I can change the account number in the URL to another account number and access another user's banking information, I've just performed a horizontal privilege escalation.
Vertical Privilege Escalation: Where an authenticated user can escalate privileges to an administrator-level account. An example of this is a web application that has a value representing the username in a hidden field that is returned after successful authentication. If we changed the value from 'username' to 'root' or 'administrator' and passed this back to the web application server and it provided us admin acces this would vertical privilege escaltion.
OWASP Top 10 Testing
We ensure our testing covers the latest Open Web Application Security Project (OWASP) Top 10, along with the following:
- SQL injection (Blind, Inference, Classic, Compounded)
- OS command injection (Informed, Blind)
- Server-side code injection
- Server-side template injection
- Reflected XSS
- Stored XSS
- Reflected DOM issues
- Stored DOM issues
- File path traversal / manipulation
- External / out-of-band interaction
- HTTP header injection
- XML / SOAP injection
- LDAP injection
- Open redirection
- Header manipulation
- Server-level issues
Web Application Penetration Testing with Hedgehog
We think it is better to have an ethical hacker find the holes into your enterprise than an adversary. Our Web Application Penetration Testing Services provides details on exploitable web vulnerabilities in a prioritized, tangible manner. Our report allows you to better understand what your web server or web application looks like from an attackers perspective; for example, what the "attack surface" looks like. This helps you prioritize efforts to mitigate risk and to reduce the likelihood of a security breach.
Not only do our Web Application Penetration Testing Services show you what your attack surface looks like to an adversary, but they can be used as a safe way to test your organisation's incident response capabilities. Our Penetration Testing services can also be used to tune and test your security controls, such as your IDS, Firewall, Web Application Firewall (WAF), Router Access Control Lists (ACLs), etc.
Our Web Application Penetration Testing services also help you meet compliance audit requirements such as HIPAA, PCI-DSS, and NIST.
Web Application Penetration Testing Deliverables
You get four items:
- Penetration Test Report
- Penetration Test Report Findings Review with your team via an online session
- Free Retest following your fixes
- Certificate of Attestation
Penetration Test Report
The Penetration Test Report includes the URLs and IP addresses tested, reconnaissance (discovery) information, vulnerabilities discovered, steps taken during the assessment, exploitable areas, and prioritized recommendations. For any systems we are able to exploit, an Issue Detail section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.
Penetration Test Report Findings Review
We schedule either an in-person or online session with you where we walk through the report with your team and answer any questions about the findings, our methods, or the steps required for remediation. Many competitors deliver a confusing lengthy report at the end of the engagement for you to decipher. Our penetration test report review adds tremendous value because we can clarify findings and remediation steps.
How do you know the steps you took to fix our penetration test report findings actually worked? Validation removes the guesswork. When you're ready, after fixing the issues identified in the penetration test report, we offer a free re-test of those identified vulnerabilities. This is a crucial and often overlooked step in this process. Validating security controls, patches, and other fix actions is extremely important. We have discovered numerous organisations that thought they fixed a finding we identified, only to discover after a retest that the finding was still there.
Certificate of Attestation
The attestation letter serves as record of us performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your organisation, to show proof that a security assessment was performed and to highlight test results.
Frequently Asked Questions
- Penetration Test or Vulnerability Assessment, I'm confused. What do I need?
Great question. The vulnerability assessment is akin to looking at a house and writing down the make of the locks, the location of the doors and windows. All the time checking to make sure they are closed and see if they are locked or not. A penetration test will attempt to pick those locks, open the doors, see what is behind them. The good penetration test will also try to build tunnels from the house to their house, create an inventory of all your possessions and many other things besides. We get a lot of questions asked of us regarding Penetration Testing. We have tried to gather as many of the frequently asked questions together here.
- I have a mate who can test, what makes you better?
Almost everyone has a friend, peer, colleague who understands a little about security. We test 7 days a week, 365 days a year and each tester spends a third of their time at conferences, on course and doing research to stay at the top of their skill set. It is like comparing a race car engineer (the penetration tester) to a car garage engineer (the IT generalist with some tools) to the home garage hobbyist (the friend). Occasionally, the friend will have excellent levels of skills, but is this the exception, not the norm.
- What tools do you use for a penetration test?
Our primary "tool" is the Mk1 Human. In our testers arsenal are over 200 opensource tools bolstered by more than 50 internally developed tools. On an average penetration test, 20% of the testers time will be spend working with tools. These are important for covering a lot of digital ground in a small amount of time.
- Does your Gray Box Penetration Test include Black Box?
Yes, we perform the Black Box Penetration Test first, then perform the Gray Box. Our report shows which test the finding is linked to and which role, if we test multiple user roles for the Gray Box test.
- How often should we have a Penetration Test?
The best practice guideline is at least annually but it really depends on what it is you are testing. If your environment is static and does not change, and you perform monthly vulnerability scans then you are reasonably safe in having a penetration test every three years. If you are including applications within your test scope, that change often, then you should be testing those applications separately after development and before UAT.
- What type of Penetration Test is done as part of the Cyber Essentials audit?
We are asked this question almost every week. Cyber Essentials and Cyber Essentials Plus include within the audit process a Vulnerability Assessment only. A vulnerability assessment is not a penetration test.
- We have regular vulnerability tests. Why do we need a penetration test?
A vulnerability assessment is one of the phases of the reconnaissance phase of a penetration test. In the grand scheme of a penetration test, the vulnerability assessment phase constitutes about 5% of the test.
- I want a Penetration Test, how much will it cost?
In order to determine the cost, we need to have a discussion about the scope. While some firms will give you a quote blind, it is like asking a painter to paint a building in London without knowing which building and what type of paint. There are a lot of variables and these can only be fleshed out via a scoping conversation with one of our test team leaders.
- How do we know you are any good?
For the first engagement this is always a worry for clients. We are a CREST member company with a number of OSCP and OSCE qualified staff. Our engineers have a wide variety of experience covering multiple disciplines. Have a look at our testimonials to see what our clients think. But the main thing is we actually care about our clients and their security.
- When do you issue the certificate?
We typically issue the certificate after we perform the re-test, if included. This allows you to fix any issues we identify in the initial penetration test.
- Can I talk to a tester regarding my test and re-test results?
Of course, we positively encourage you to contact us if you have any questions about your testing results, if you need pointers for fix or any explanation of the findings.