Spider Sec Ltd offers Web Application Penetration Testing services which are designed to provide assurances that your web application has been designed and configured in line with industry best practices.
What is Web Application Penetration Testing?
Web Application Penetration Testing, also know known as Web Application Security Testing, identifies and addresses vulnerabilities which may be present inside an organisations web application. Spider Sec’s consultants will follow industry-standard methodologies to discover vulnerabilities which may have been introduced into the web apps code, server configurations or business logic flow.
Vulnerabilities are presented back to clients in a reporting document which will include risk ratings, potential attack scenarios and remediation steps.
Brief Overview of a standard Test:
Key Benefits Of A Web Application Penetration Test?
A Web Application is the digital storefront of most businesses, as a result, they are heavily exposed to the internet. Attackers will usually target web applications first as they are accessible from anywhere in the world and access is less restrictive than other network devices owned by a business. Web applications can contain a number of moving parts that can be vulnerable to attack and often contain ‘user data’ which attackers are interested in obtaining.
A Web App Penetration Test will help our clients:
To demonstrate how our own methods deviate from others please see the following blog posts, wherein we went beyond just using scanners such as WPscan against our clients’ WordPress site. During the engagement when the scanner returned data telling us all plugins were up to date and reported 0 vulnerabilities. We spun up our own lab and went in search of 0 days inside their installed plugins. Because we genuinely care about our clients’ security; we willing to go above and beyond the standard methodologies to secure the web.
Penetration Testing Engagement Process
Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 ) Background A Spider Sec Ltd consultant discovered an Authenticated Stored XSS vulnerability inside the Ninja forms WordPress Plugin which could allow attackers to hi-jack administrative cookies if an attack is coupled together with a phishing campaign. Technical Details The following parameters are vulnerable […]
Registration Magic Version 22.214.171.124 (Multiple XSS Vulnerabilities) Background After discovering two new WordPress Plugin vulnerabilities on a recent web application penetration test (which were authenticated and difficult to weaponise) I decided to go in search for some higher ticket WordPress Plugin vulnerabilities in my spare time. I started downloading registration form and forum building plugins, […]
Registration Magic Version 126.96.36.199 Authenticated Blind SQL Injection in URL Background If you still haven’t read the preface to this discovery please take a look here. Technical Details Authenticated SQL Injection in Form_id field The form_id field takes input from a number of in the front end and processes it on […]
Calculated Fields Form WP Plugin (Version <= 1.0.353) Multiple Authenticated Stored XSS Background The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms. These Calculated Fields Form vulnerabilities were discovered during a web application penetration test by a Spider Sec Ltd Consultant. Technical Details An […]