Pentest Webapplications

Protect your web applications

What are entry points for attackers?

Web applications are an essential part of our daily work. Applications, whether bought or developed in-house, are often used to process sensitive data and are usually accessible to many people inside and outside of your organization. In the event of a successful attack, hackers can therefore compromise company secrets, passwords and customer data, and even take over the web application server. This turns web applications into popular targets for attackers.

During our web application pentest, our security analysts comprehensively analyze your web application and identify possible entry points for attackers.

Common vulnerabilities include:

  • Execution of injected malicious code (cross-site scripting, cross-site request forgery)
  • Unauthorized escalation of user privileges
  • Execution of malicious code on the underlying IT system (remote code execution, XML external entity attack)

What is our approach to Webapplication Pentests?

Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for web application pentests:

Our security analysts attempt to gain unauthorized access to confidential information and the underlying systems during our application level pentests. We base our analyses on the current version of the OWASP Testing Guide and test for the most common security vulnerabilities in web applications according to OWASP (OWASP Top 10).

The registration is a popular target for hackers, especially if users are able to register themselves independently. In such cases, we suggest testing your application in an authenticated manner as well. For this scenario, we additionally perform tests on the functionalities of the authenticated areas with user accounts provided by you.

Web applications are constantly becoming more powerful and complex, making it more difficult to detect potential security vulnerabilities. In our web app pentests, my colleagues and I therefore combine state-of-the-art techniques with many years of experience and a permanent eye on the current threat situation.

Gerbert Roitburd

Senior Consultant IT Security

What checks are included?

These checks are included in the application-level pentests:

  • Identifying the application, mapping and collecting information using manual and automated analysis procedures
  • Automated scanning of the web application using a state-of-the-art vulnerability scanner
  • Attack scenarios based on the combination of multiple identified vulnerabilities
  • Manual verification, e.g. by:
    • Hijacking of user accounts
    • Analyzing the filtering of passed parameters
    • Bypassing the authentication logic or authorization logic
    • Checking the file upload functionality

Depending on the programming language, we optionally perform code reviews for critical applications. Here, we analyze the source code for security vulnerabilites and enable an highly in-depth analysis. In addition, we check compliance with recognized secure coding guidelines and best practices.

Are your systems protected against attackers?

We are happy to discuss your options for analyzing your application by our security analysts. Feel free to contact us.

More Insights

Pentest: Our standardized approach

Pentest: Your benefits at a glance

Contact

 

Please contact us with any questions or queries.

 

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Daniel Heyne
usd Team Lead Sales,
Security Consultant Pentest, OSCP, OSCE