Spider Sec Ltd offers Web Application Penetration Testing services which are designed to provide assurances that your web application has been designed and configured in line with industry best practices.
What is Web Application Penetration Testing?
Web Application Penetration Testing, also know known as Web Application Security Testing, identifies and addresses vulnerabilities which may be present inside an organisations web application. Spider Sec’s consultants will follow industry-standard methodologies to discover vulnerabilities which may have been introduced into the web apps code, server configurations or business logic flow.
Vulnerabilities are presented back to clients in a reporting document which will include risk ratings, potential attack scenarios and remediation steps.
Brief Overview of a standard Test:
Key Benefits Of A Web Application Penetration Test?
A Web Application is the digital storefront of most businesses, as a result, they are heavily exposed to the internet. Attackers will usually target web applications first as they are accessible from anywhere in the world and access is less restrictive than other network devices owned by a business. Web applications can contain a number of moving parts that can be vulnerable to attack and often contain ‘user data’ which attackers are interested in obtaining.
A Web App Penetration Test will help our clients:
To demonstrate how our own methods deviate from others please see the following blog posts, wherein we went beyond just using scanners such as WPscan against our clients’ WordPress site. During the engagement when the scanner returned data telling us all plugins were up to date and reported 0 vulnerabilities. We spun up our own lab and went in search of 0 days inside their installed plugins. Because we genuinely care about our clients’ security; we willing to go above and beyond the standard methodologies to secure the web.
Penetration Testing Engagement Process
Registration Magic Version 18.104.22.168 (Multiple XSS Vulnerabilities) Background After discovering two new WordPress Plugin vulnerabilities on a recent web application penetration test (which were authenticated and difficult to weaponise) I decided to go in search for some higher ticket WordPress Plugin vulnerabilities in my spare time. I started downloading registration form and forum building plugins, […]Read More
Registration Magic Version 22.214.171.124 Authenticated Blind SQL Injection in URL Background If you still haven’t read the preface to this discovery please take a look here. Technical Details Authenticated SQL Injection in Form_id field The form_id field takes input from a number of in the front end and processes it on […]Read More
Calculated Fields Form WP Plugin (Version <= 1.0.353) Multiple Authenticated Stored XSS Background The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms. These Calculated Fields Form vulnerabilities were discovered during a web application penetration test by a Spider Sec Ltd Consultant. Technical Details An […]Read More
Chained Quiz WP Plugin Unauthenticated Reflected XSS (Version 126.96.36.199) Background During a web application penetration testing engagement, we discovered our client was using the Chained Quiz Plugin to serve quizzes on the front-end of their site. A quick analysis using WPscan uncovered several historic Chained Quiz Vulnerabilities which had been disclosed in previous versions. As […]Read More