Web Application Penetration Testing
Highly trained and certified penetration testing team
Proven penetration testing methodology
Includes retest option to validate your fix actions
Clear & concise reports with prioritized, actionable items
Are your web applications secure? We can validate this for you with a Web Application Penetration Test (Black and Gray Box). Web applications are the most frequently attacked items on the Internet and are often the most insecure.
We emulate an attacker by utilising similar techniques to perform reconnaissance, identify vulnerabilities, and break into your systems. Unlike an attacker, however, we stop our test before exposing sensitive data or doing harm to your environment.
With the Black Box Penetration Test, this means we have unauthenticated access and have little prior knowledge, except the URLs, about the systems in scope. We will also perform a Gray Box Penetration Test of each system, as applicable, after the Black Box Penetration Test. With a Gray Box Penetration Test, we have "user" level knowledge about the application and Standard user access to the Web Application. A Gray Box Penetration Test is used to test an application that supports multiple users by testing authenticated user access to ensure a user on an application cannot access another user's data or escalate their privileges. We log on to the application as that user and perform testing to see if we can perform any of the following:
Horizontal Privilege Escalation: Where an authenticated user can access another user's data. An example of horizontal privilege escalation is a bank application, where an authenticated user's account number shows up in a URL. If I can change the account number in the URL to another account number and access another user's banking information, I've just performed a horizontal privilege escalation.
Vertical Privilege Escalation: Where an authenticated user can escalate privileges to an administrator-level account. An example of this is a web application that has a value representing the username in a hidden field that is returned after successful authentication. If we changed the value from 'username' to 'root' or 'administrator' and passed this back to the web application server and it provided us admin access this would vertical privilege escalation.
OWASP Top 10 Testing
We ensure our testing covers the latest Open Web Application Security Project (OWASP) Top 10, along with the following:
External / out-of-band interaction
HTTP header injection
XML / SOAP injection
SQL injection (Blind, Inference, Classic, Compounded)
OS command injection (Informed, Blind)
Server-side code injection
Server-side template injection
Reflected DOM issues
Stored DOM issues
File path traversal / manipulation
Web Application Penetration Testing with Hedgehog
We think it is better to have an ethical hacker find the holes into your enterprise than an adversary. Our Web Application Penetration Testing Services provides details on exploitable web vulnerabilities in a prioritized, tangible manner. Our report allows you to better understand what your web server or web application looks like from an attackers perspective; for example, what the "attack surface" looks like. This helps you prioritize efforts to mitigate risk and to reduce the likelihood of a security breach.
Not only do our Web Application Penetration Testing Services show you what your attack surface looks like to an adversary, but they can be used as a safe way to test your organisation's incident response capabilities. Our Penetration Testing services can also be used to tune and test your security controls, such as your IDS, Firewall, Web Application Firewall (WAF), Router Access Control Lists (ACLs), etc.
Our Web Application Penetration Testing services also help you meet compliance audit requirements such as HIPAA, PCI-DSS, and NIST.
Web Application Penetration Test report
The Penetration Test Report includes the URLs and IP addresses tested, reconnaissance (discovery) information, vulnerabilities discovered, steps taken during the assessment, exploitable areas, and prioritized recommendations. For any systems we are able to exploit, an Issue Detail section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.
Penetration Test Report Findings Review
We schedule either an in-person or online session with you where we walk through the report with your team and answer any questions about the findings, our methods, or the steps required for remediation. Many competitors deliver a confusing lengthy report at the end of the engagement for you to decipher. Our penetration test report review adds tremendous value because we can clarify findings and remediation steps.
How do you know the steps you took to fix our penetration test report findings actually worked? Validation removes the guesswork. When you're ready, after fixing the issues identified in the penetration test report, we offer a free re-test of those identified vulnerabilities. This is a crucial and often overlooked step in this process. Validating security controls, patches, and other fix actions is extremely important. We have discovered numerous organisations that thought they fixed a finding we identified, only to discover after a retest that the finding was still there.
Certificate of Attestation
The attestation letter serves as record of us performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your organisation, to show proof that a security assessment was performed and to highlight test results.