Home » Insight » Web app pentest provider and what they do

Web app pentest provider and what they do

IT security testing is one of our main services. We have many years of experience in cyber security testing and so far we have conducted several hundred penetration tests for many well-known international organizations to institutions and various types of enterprises that form part of the critical infrastructure.

Pentests are penetration security tests that allow to verify the security of systems and applications and identify their weaknesses. They are based on the simulation of a hacker attack, allowing to verify the quality of security and to find gaps in the security of networks, systems, mobile apps, web application, as well as desktop applications.

Our pentesting experts are top-class professionals with extensive experience gained while working for companies with an international reach. It should be noted that we take our work extremely seriously, and therefore while working for our clients we always work according to internationally recognized standards and methodology:

  • ISO 27000;
  • PCI DSS;
  • OSSTM Manual;
  • ISSAF;
  • NIST;
  • SANS Information Security Reading Room;
  • The Social Engineering Framework.

And also good IT security practices. Among the most important of these we can include:

  • Pentester cares about the security and privacy of captured data;
  • Pentester notifies designated individuals as to when work will commence and when it will be completed;
  • Pen tester conducts penetration tests on every assignment first without any authorization, even if it has one before the tests begin;
  • Pentester uses tools in the course of its work so as not to cause damage to the tested environment;
  • In the case of penetration tests that may cause possible damage to the system operation or its immobilization, Pentester performs them with the prior consent of the Customer;
  • Pentester always operates in compliance with applicable local laws.

Although traditional firewalls and other network security controls are an important layer of information security management, they cannot protect against or prevent many of the attack vectors specific to Web applications. It is very important for an organization to make sure that its Web applications are not susceptible to common types of attacks.

Best online practices suggest that an organization should perform web application testing in addition to regularly auditing the company’s information security to ensure that its data is safe and the company’s infrastructure is not compromised.

During a web pentest, the web applications and also associated web services/API’s are examined for possible vulnerabilities. Our experts examine the frontend, the backend, the databases, and possible interfaces for vulnerabilities.

The website can be examined with insight into the source code/specification (black box testing), as well as without insight (white box testing). To identify vulnerabilities, we rely on both manual analysis and automated scans. This combination allows us to identify both general and very specific vulnerabilities.

Security experts usually hold the most important and toughest certifications in the field of IT security: Offensive Security Web Expert certification (OSWE) as well as Offensive Security Certified Professional (OSCP).

In a web pentest, the first step is to try to “understand” the applications. For this purpose, various information about the application is obtained. Different entry points for various attacks are identified and targeted. Various smaller vulnerabilities in an application can be combined into a so-called “kill chain” to enable remote code execution and thus cause the greatest possible damage.

    Human


    * We guarantee maximum privacy of your personal data

    Scope of performed penetration tests audits

    In order to provide a comprehensive assessment of IT platform security, we perform penetration tests and simulations:

    • Advanced manual penetration tests with the use of specialized tools; white-box, gray-box, and black-box techniques;
    • State analysis of input and output data;
    • In-depth tests reflecting a real attack, usually related to the security of IT infrastructure as a whole, including the use of social engineering;
    • Performance tests verifying vulnerability to DDoS class threats;
    • Automated “fuzz” tests revealing vulnerabilities such as local dos, memory leak, application termination (crash);
    • Penetration tests of mobile applications and back-end instances (API);
    • Security audit of service configuration, such as application servers, databases, or operating systems;
    • Penetration tests of wireless networks and verification of network segmentation;
    • Access rights management and privilege separation verification;

    We also perform attempts to:

    • Enumeration and exploitation of known vulnerabilities to gain unauthorized access;
    • Impersonating a user/administrator and gaining unauthorized access to the system;
    • Block/allow access to the System to all or selected users;
    • Obtaining unauthorized access to data processed in the System or external clients;
    • Performing unauthorized modification/deletion of information in the system.

    Types of penetration tests

    Black-box penetration tests are characterized by the execution of tests by a team that is not provided with information about the tested system. It is in the contractor’s interest to obtain as much information about the tested system or network as possible, in order to make the most effective use of that data during test execution. A black-box scenario usually involves imitating behavior typical of an external attacker, who has no access and no information about the test subject.

    Gray-box penetration tests involve providing the audit team with partial information or access to a specific system or network. An example of such actions is passing authorization data to an application or access to the tested network to the testing team, in order to verify the security of the entity in a wider scope; such a scenario can be treated as a case when an external attacker gains the mentioned information on his own.

    White-box penetration tests are the most elementary type of testing. The testing team is fully informed about the target of the test, providing such information as infrastructure diagrams, source codes of applications, detailed data on individual systems, etc. Based on the provided data, it is possible to precisely and completely determine the attack vectors; this type of testing simulates an attack coming from inside the organization.

    Cost of penetration tests

    Price of penetration testing may vary depending on the scope of work, its complexity, and time consumption. If you are interested in a detailed quote, please contact us using our form, e-mail or telephone.

    Leave a Reply

    Your email address will not be published. Required fields are marked *