WEB APPLICATION VULNERABILITY AND PENETRATION ASSESSMENTS
Penetration Testing of Applications is a hybrid security test that aims to uncover security vulnerabilities at the application layer. Popular types of vulnerabilities discovered include SQL injection, XSS and CSRF vulnerabilities. This type of test has a high manual component, approximately 70%, and the testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application.
Application level assessments are categorized into two distinct classes:
- Web application assessments. Those that are presented through a browser by a web server. Our methodology for assessing web applications is closely aligned to industry accepted OWASP (Open Web Application Security Project).
- Thick client server applications. Those that present some sort of application through installation or execution.
Both types of assessments will follow the following high level methodology:
Figure: Application Level Assessment Approach
Application assessments are commonly performed from the perspective of one or more of the following scenarios:
- No knowledge. Commonly referred to as black box testing, this simulates an attacker without any knowledge of the application or its associated environment.
- Some knowledge. Commonly referred to as grey box testing, here we simulate an attacker with some knowledge (perhaps an application user, and / or someone with knowledge about how the application works).
- Full knowledge. Using a white box testing approach, this simulates an attacker with full knowledge about the application, associated environment, and with access to the source code (perhaps a disgruntled application developer).