Web apps penetration tests

Web apps penetration tests

The most widespread and the most vulnerable and the most developed type of application. Nowadays, browser-based applications are most commonly used to conduct all kinds of activities.

Therefore, care about the security of data processed in web applications is critical not only for business but also for the public sector.

OWASP Top 10 - but what is it all about?

The whole Internet is buzzing with OWASPs. People are writing, quoting, pointing, the term appears in public tenders, but actually why and what is the point of OWASP?

The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve software security. With community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading education and training conferences, the OWASP Foundation is a resource for developers and technologists on web security.

A OWASP Top Ten to jeden z projektów fundacji, którego szczegóły możesz znaleźć tutaj.

Penetration tests based on OWASP Top Ten

Keep in mind that the priorities and even the scope of the project change once a year so keep that in mind when defining the scope of the test.

We perform tests whose scope has been defined in the project, but we always specify the scope with the Client. Our Customers often expect tests that will be compliant with OWASP Top Ten, which always requires specifying the scope of tests in order for us to know the actual needs.

It is also important to note that the scope defined in the Top Ten project does not exhaust the scope that can be performed during penetration testing but only identifies the ten critical and most common risks in web applications.

Methodologies we use

We conduct testing according to methodologies:

  • P-PEN Wojskowej Akademii Technicznej – stawia duży nacisk na organizację realizacji testu i organizacji pracy. Metodyka P-PEN została sformułowana dla osiągnięcia następujących celów:
    • Leaving experts the freedom to act while putting their actions in a strict formal framework;
    • Description of the procedure under the Penetration Testing Project as formalized as possible;
    • Ensuring full documentation of the contractors' conduct during the tests;
  • Methodology for Penetration Testing – autorstwa jednego ze światowych liderów w zakresie przeprowadzania komercyjnych testów penetracyjnych, firmy Offensive Security – metoda skupiająca się na aspektach czysto technicznych, łącząca realia i wymagania, jakie znajdują się w branży militarnej względem wymagań panujących na rynku komercyjnym. Istotą testów prowadzonych według zaleceń Offensive Security jest maksymalizacja wysiłku w zakresie prowadzenia testu penetracyjnego, a racjonalizacja prac związanych z wytwarzaniem list umożliwiających ocenę ryzyka.
  • Recommendations Application Security Verification Standard 3.0.1 - provides a standard for application security verification and a list of compliance components to verify compliance with the recommendations. Standard focuses on standardization of functional and non-functional security requirements necessary during design, development and testing of modern web applications. The standard also includes a Common Weakness Enumeration (CWE), which can be used to identify information such as the probability and consequences of successful vulnerability exploitation.
  • NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, a periodically updated test method of the United States National Institute of Standards and Technology.

The methods presented above perfectly complement each other covering organizational, technical and management areas.

Who conducts penetration testing?

Penetration tests are performed by pentesters manually assisted only by penetration test automation tools. This is because automations indicate many false positives and test the application very inaccurately. At the current technological development, only a human is able to test the application in the right way. Several of us already have several years of experience in pentesting (not professional, just related to security testing) and the rest are simply great professionals, as our customers will confirm.

Benefits of conducting pentests

With web application pentests:

  • You minimize the risk of data leakage and thus penalties under RODO, loss of image, loss of customers,
  • You have proof of business integrity in the event of an audit,
  • You educate developers and testers,
  • You gain the opinion of an external entity that will always be more reliable when it comes to conducting penetration testing.