The Web Application Assessment is designed to test a web application or a web service for security vulnerabilities.This assessment involves the investigation of all aspects of the Web Application logic and its implementation. The methodology follows the good practices of the OWASP Testing Guide (www.owasp.org), which some of our consultants have co-authored and that has become one of the international de-facto standards for security testing of a Web Applications.
The test team will combine both automated and manual testing using both commercial and open source tools. Our Test Team will, if necessary, write tools such as web service clients, SQL injection scripts and what ever may be needed, on the fly, to make sure each aspect of an attack is tested to the fullest extent possible.
The following categories will be interrogated during a Web application assessment, including, but not limited to:
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Code Injection
- XPath Injection
- LDAP Injection
- File Inclusion
- Code Execution
- Directory Traversal
- Script Source Code Disclosure
- CRLF Injection
- Cross Frame Scripting (XFS)
- Internal Path Disclosures
- Cookie Manipulation
- Arbitrary File creation/modification/deletion
- Email Injection
- URL redirection
Graphical representation of our internal methodology
Please find below a graphical representation of our internal methodology when performing a web application assessment.