Web pentest – Web security audit

web_platform

A Web platform penetration test assesses the security of the server configuration and of the application software (Web applications and APIs).

picto_cible

Aim of a Web pentest

Web applications are always a particularly vulnerable part of information systems, due to their level of exposure to attacks and the lack of awareness of development staff that is observed in many companies.

The purpose of a Web pentest is to assess the robustness of your Web platform: servers, front/back office applications, Web services and APIs. The result is an operational report that enables developers to correct the identified security flaws. For publishers of solutions who need deliverables to provide for their clients, Vaadata can provide a second report certifying that the security flaws have been corrected.

The scope of a Web security audit is to be defined according to the desired aim:

  • What must be included in the pentest and must be excluded from the pentest? (Web application, APIs, third party services, showcase site, etc.)
  • What is the required level of detail: search for so-called major vulnerabilities or search for all vulnerabilities?
  • What is the level of risk to be tested: test only external attacks (black box test) or also attacks from a user account (grey box test)?
  • Must certain types of specific tests be incorporated? (social engineering, etc.)

Contact us

Stages of a Web security audit

The first stage is the definition of the scope of the pentest. During this essential stage, the pentesters are briefed on the objectives of the audit, the elements to include in the pentest, the conditions of the pentest, and the client’s particular requests.

During the audit preparation phase, the technical conditions are set up: choosing dates, setting up the target, forwarding information and creating test accounts, if necessary, validating the communication plan in the event of emergency.

At the start of the audit, the pentest team contacts the technical team responsible for the Web platform to be audited. In most cases, the pentesters perform the audit from Vaadata’s offices. The results are returned only when the audit is completed, unless the client specifically requests otherwise (choice of a real-time reporting option).

Ask for a quotation

Pentesting a Web application

Vaadata looks for vulnerabilities related to features, implementation and use of third-party components, the server and its various services, security configurations, and so on.

Tests may focus only on technical elements or may also include social engineering.

Testing Web servers

Penetration tests of Web servers focus on finding vulnerabilities specific to the configuration of the infrastructure that hosts the services.
The most typical vulnerabilities are:

  • Open and poorly protected services
  • Software that is not updated (operating system, FTP, etc.)
  • Security elements that can be bypassed
  • Configuration errors
hp_consulting_security

Testing the application layer

Penetration testing of the application layer accounts for most of the audit.

The most common security flaws are:

  • Injection flaws (notably SQL and commands);
  • Vulnerabilities in management of authentication and of sessions;
  • Exposure of sensitive data;
  • Lack of access control;
  • Cross-Site Scripting (XSS);
  • etc.

The application pentest includes the search for technical flaws and logic flaws (related to the workflow). Logic flaws exist when the normal operation of an application, a logic stage or the intended process can be bypassed or evaded. Further information

Injection flaws

Concerning injection flaws, SQL injection (SQLi) is the best known. An SQL injection flaw allows you to interact with the application database, from unplanned requests.

However, many types of injection are possible: XPath injections, HTML, commands, logs, etc. Exploitation of injection flaws can lead to data loss, denial of service, or even taking control of the system. Therefore the impact of these vulnerabilities can be severe.

Further information

Server Side Request Forgery - SSRF

An SSRF is a type of vulnerability which allows attackers to abuse the functionalities of a server, enabling them to access or manipulate information that otherwise would not be directly accessible to the attackers.

This ability to send requests to other systems can allow the attackers to use the target server as a proxy, either against external targets or even internal targets, that then lose the protection provided by the network layout.

We develop here further what an SSRF vulnerability is and its potential impact.

Focus on denial of service (DoS)

The pentest may or may not include denial of service (DoS) attacks, depending on your preference.
What is the point of this type of test? It identifies vulnerabilities that may be related to the configuration of the server or to the application itself. In both cases, the solutions depend on your technical team, and not on the choice of hosting.

Vaadata excludes distributed denial of service (DDoS) attacks from pentesting, because the problem and the solution depend mainly on the means on the attacking side as well as on the attacked side.

web denial of service

Key numbers

Malware and Web-based attacks continue to be the most expensive attack types.
2019 The Cost of Cybercrime. Ponemon Institute. (p. 17).

+56%

Web Attacks on endpoints increased by 56% in 2018.
2019 Internet Security Threat Report. Symantec. (p. 47)

+23%

API vulnerabilities increased by 23% between 2017 and 2018.
The State of Web Application Vulnerabilities in 2018. Imperva.

Our range of pentests

We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.

Contact us