Blog Post:

Web Application Penetration Testing and WASC Threat Classification

VAPT
5
Feb 2019

Web Application Penetration Testing and WASC Threat Classification

Tuesday, February 5, 2019

Web application penetration testing is an interesting area to ponder on. In spite of many tools, techniques and approaches around; there are few fundamental things we look in to in our penetration testing engagements.

Whether its black box test or a grey box test, a manual and automated check along with business logic check is essential. We use this hybrid model for web application security penetration testing which is an intelligent combination of automated and manual scanning.

We typically use our proprietary scripts (python urllib mostly) along with bunch commercial and open source tools like Burp Suite, Paros and many others to perform vulnerability assessment and penetration testing and application. Based on how far we could penetrate in, we often augment this test with other tools like Rapid7, Nessus, NMAP, Acunetix, Hping2, Icmpscan, Wireshark, Testssl script, TSCRACK etc.

We cant emphasis highly enough on the fact that testing against WASC Threat Classification is essential.

Our Mobile App pentest supports applications on iOS and Android primarily and Windows in specific cases. It also supports all types of applications be it native, mobile web or HTML5. Below outlines some of our guidelines when it comes to mobile app pentest.


Hybrid Mobile Application Security:

Its is a powerful, high tech combination of automated application scanning and manual penetration testing, giving a complete and in-depth security assessment for all types of mobile applications.

Gain Risk Visibility:

Detailed insightful reports with remediation guidelines of application vulnerabilities are shared, giving you a complete view of the risks the application is exposed to.


Improve and Increase Business Efficiency:

Secure mobile applications help in minimizing productivity losses, enabling organizations to host their most productive applications onto mobile devices, gives users flexibility and enhancing business efficiency.

Strengthen Brand Reputation:

Safe and secure apps help strengthen brand reputation immensely, as users know that they can always rely on a secure mobile computing environment to conduct business through these applications.

On Demand, Hybrid Mobile Application Penetration Testin

Our Mobile Pentest provides a complete security assessment of threats that can be potentially exploited in mobile applications using a combination of software tools and manual security intelligence.

Memory Analysis

Intensive memory analysis is undertaken by extracting data stored on the device by any application. This includes SQLite database analysis as well as cryptanalysis attacks.


Log Analysis

Analyze logs for sensitive information stored by any application like login credentials, personal information etc


Layer 7 Attacks Assessment

  1. Business logic checks and session related attacks.
  2. Privilege escalation and authentication related checks.
  3. Intercept and manipulate Layer 7 traffic to bypass implemented controls.


Logical Vulnerabilities Detection

In-depth testing of the mobile application's business logic is conducted by security experts to check for complex vulnerabilities.


Insecure permissions detection

All permissions are checked and verified to ensure that unwanted permissions do not exist in the application, which could result in unauthorized access and misuse of sensitive data.


Remediation Guidance

Detailed remediation recommendation and guidance will be provided as part of the report.


Deliverable of our pentest exercise will be a detailed report which will contain test plan, safe/unsafe labels, findings description, findings recommendation/solution, reference links for specific findings, step-by-step PoC with screenshots along with severity for each vulnerabilities identified.

Reach out to our team if you would like to know more.

Posted on:

Tuesday, February 5, 2019

in

VAPT

category