Web Application Penetration Testing

Web Application Penetration Testing

Spider Sec Ltd offers Web Application Penetration Testing services which are designed to provide assurances that your web application has been designed and configured in line with industry best practices.

 

What is Web Application Penetration Testing?

Web Application Penetration Testing, also know known as Web Application Security Testing, identifies and addresses vulnerabilities which may be present inside an organisations web application. Spider Sec’s consultants will follow industry-standard methodologies to discover vulnerabilities which may have been introduced into the web apps code, server configurations or business logic flow.

Vulnerabilities are presented back to clients in a reporting document which will include risk ratings, potential attack scenarios and remediation steps.

Brief Overview of a standard Test:
  • Check for secure SSL Configurations.
  • Injection flaws.
  • Authentication weaknesses.
  • Poor session management.
  • Broken access controls.
  • Check for misconfigurations of the webserver and database.
  • Input validation problems.
  • Flaws in application Business logic.

Key Benefits Of A Web Application Penetration Test?

A Web Application is the digital storefront of most businesses, as a result, they are heavily exposed to the internet. Attackers will usually target web applications first as they are accessible from anywhere in the world and access is less restrictive than other network devices owned by a business. Web applications can contain a number of moving parts that can be vulnerable to attack and often contain ‘user data’ which attackers are interested in obtaining.

A Web App Penetration Test will help our clients:
  • Comply with GDPR and other regulatory bodies which require regular penetration testing.
  • Provide evidence to your clients or supply chain that your organisation take proactive steps towards securing your data.
  • Develop in house security awareness of common vulnerabilities for developers. Making them proactive in securing their future applications.
  • Reduce the risk of being successfully attacked by cyber criminals.

Our methodology

Our consultants are all certified with at least Check Team Member or OSCP certificate. We follow the industry-standard OWASP Top 10 web application testing methodology and OSSTMM. Alongside this, we use our own in-house methodologies which have been tried and tested during our own careers.

Case Study

To demonstrate how our own methods deviate from others please see the following blog posts, wherein we went beyond just using scanners such as WPscan against our clients’ WordPress site. During the engagement when the scanner returned data telling us all plugins were up to date and reported 0 vulnerabilities. We spun up our own lab and went in search of 0 days inside their installed plugins. Because we genuinely care about our clients’ security; we willing to go above and beyond the standard methodologies to secure the web.

Penetration Testing Engagement Process

Scoping

Spider Sec has tried to make the scoping process as easy as possible. We have created a quoting form which will price your project based on your requirements. If you are happy with the quote, send it to us and we will send over our authorisation forms and SOW to be filled out. Then we will schedule the engagement and ensure all prerequisites are in order.

Engagement

On the scheduled date you will receive an email before the penetration test begins. During the engagement, if any high or critical risk vulnerabilities are discovered you will be informed ASAP.

Reporting

Once the engagement is completed we will write up our discoveries into an easy to digest report with remediation steps and risk ratings.

Retest

After you have digested the report if you wish to book a retest please let us know. We are happy to retest high and critical risk vulnerabilities for free.