Web Application Testing Buying Guide
Web Application Testing is another service often provided by an Ethical Hacker. I wanted to put together a primer that you can use as reference in case you ever need this type of service. We of course provide this at Topgallant and I wanted to make sure that when someone is looking for this type of service they don’t get duped. This is short and sweet.
Web Application Testing Basics
Performing Web Application Testing for exploits and vulnerabilities on your internal and external web apps is critical to a secure infrastructure. Web Application Penetration Testing and Web Application Vulnerability Testing should follow the Open Web Application Security Project (OWASP) Framework as the base level testing outline.
Commonly known as the OWASP Top 10 Vulnerabilities a good Penetration Testing Company should perform the following Web Application Tests. I will provide explanations in articles to follow. But for now let’s just stay on the basics.
- Invalidated Input
- Insecure Configuration Management
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting
- Buffer Overflow
- SQL Injection Flaws
- Misc Injections
- Improper Error Handling
- Insecure Storage
- Application Denial of Service
- Access Control In J2EE Applications
- Application Backdoors
- Privilege Escalation
Manual and Open Source Tools
The Penetration Tester should be using the following Manual and Open Sources such as:
- Metasploit Framework
- Kali Linux
- MSAF Web Attack and Audit Framework
- Burpe Suite
- Web Scarab
Other Factors to Consider
I would also consider other factors as well namely getting the developers involved since they are the ones who are responsible for these problems in the first place. Many times a developer may try isolate himself from the problem by trying to skirt the issue by claiming they are not responsible for security or it is a server level or it is a network level thing, but it isn’t. So make sure that they are involved throughout the process. Ideally they should be testing for this type of stuff during the development phase.
So if you need help doing this sort of thing. Give us a call at 1-844-9PENTEST (844-973-6837) or email at firstname.lastname@example.org for more information.0