Web Application Penetration Testing

Security Audit Systems offer web application penetration testing services, to help provide your business with additional confidence and advanced computer network defences when combating modern cybercrime. Web application penetration testing is an extremely useful service to businesses that demand the very best in application security assurance. This service is useful to help you identify weaknesses in the web app, web servers and associated databases that store sensitive information. As part of this service we will proactively identify any OWASP top 10 threats that exist in the web application and provide the necessary advice to rectify all the vulnerabilities we discover.

web app penetration testing


Web Application Penetration Testing Methodology

We follow the OWASP web application testing framework, which covers a vast amount of security checks. This includes but is not limited to looking at the following in your web application:

1) Information Gathering (Running tools such as; dig, whois, dnsenum, goofile, DMitry, firewalk, IDS-Detectors and many others)

Rendered Site Review

  • Manually explore the site
  • Spider/crawl for missed or hidden content
  • Check the Webserver Metafiles for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
  • Check the caches of major search engines for publicly accessible sites
  • Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
  • Check The Webpage Comments and Metadata for Information Leakage

Development Review

  • Check The Web Application Framework
  • Perform Web Application Fingerprinting
  • Identify technologies used
  • Identify user roles
  • Identify application entry points
  • Identify client-side code
  • Identify multiple versions/channels (e.g. web, mobile web, mobile app)

Hosting and Platform Review

  • Identify web services
  • Intrusion Detection Systems detection
  • Identify computer / server network defences
  • Identify co-hosted and related applications
  • Identify all hostnames and ports
  • Identify third-party hosted content

2) Configuration Security Testing (Running tools such as; ASPAudit, Powerfuzzer, SQLmap, Skipfish, CMSmap and many others)

  • Check for commonly used application and administrative URLs
  • Check for old, backup and unreferenced files
  • Check HTTP methods supported and Cross Site Tracing (XST)
  • Test file extensions handling
  • Test RIA cross domain policy
  • Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
  • Test for policies (e.g. Flash, Silverlight, robots)
  • Check for intrusion detection systems / IDS / HIDS / HIPS / computer network defence
  • Check for sensitive data in client-side code (e.g. API keys, credentials)

3) Secure Transmission Testing  (Running tools such as; Web Redirect/301 checks, Ngrep, HSTS, Secure Cookie Flag checks)

Protocols and Encryption

  • Check SSL Version, Algorithms, Key length
  • Check for Digital Certificate Validity (Duration, Signature and CN)
  • Check credentials only delivered over HTTPS
  • Check that the login form is delivered over HTTPS
  • Check session tokens only delivered over HTTPS
  • Check if HTTP Strict Transport Security (HSTS) in use
  • Test ability to forge requests
  • Test Web Messaging (HTML5)
  • Check CORS implementation (HTML5)

Web Services and REST

  • Test for Web Service Issues
  • Test REST

4) Authentication Testing (Running tools such as; PowerFuzzer, sfuzz, wfuzz, rainbow tables, brute force checks)

Application Password Functionality

  • Test password quality rules
  • Test remember me functionality
  • Test password reset and/or recovery
  • Test password change process
  • Test CAPTCHA
  • Test multi factor authentication
  • Test for logout functionality presence
  • Test for default logins
  • Test for out-of channel notification of account lockouts and successful password changes
  • Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
  • Test for Weak security question/answer

Additional Authentication Functionality

  • Test for user enumeration
  • Test for authentication bypass
  • Test for brute force protection
  • Test for Credentials Transported over an Encrypted Channel
  • Test for cache management on HTTP (eg Pragma, Expires, Max-age)
  • Test for user-accessible authentication history

5) Session Management Testing (Running tools such as; PowerFuzzer, sfuzz, wfuzz, rainbow tables, dirbuster)

  • Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
  • Check session tokens for cookie flags (httpOnly and secure)
  • Check session cookie scope (path and domain)
  • Check session cookie duration (expires and max-age)
  • Check session termination after a maximum lifetime
  • Check session termination after relative timeout
  • Check session termination after logout
  • Test to see if users can have multiple simultaneous sessions
  • Test session cookies for randomness
  • Confirm that new session tokens are issued on login, role change and logout
  • Test for consistent session management across applications with shared session management
  • Test for session puzzling
  • Test for CSRF and clickjacking

6) Authorisation Testing (Running tools such as; DotDotPwn, Crawlers, unix-privesc, Metasploit)

  • Test for path traversal
  • Test for vertical Access control problems (a.k.a. Privilege Escalation)
  • Test for horizontal Access control problems (between two users at the same privilege level)
  • Test for missing authorisation
  • Test for Insecure Direct Object References

7) Cryptography Security Testing (Running tools such as; SSLyze, TLSSLed, IIS Crypto)

  • Check if data which should be encrypted is not
  • Check for wrong algorithms usage depending on context
  • Check for weak algorithms usage
  • Check for proper use of salting
  • Check for randomness functions

8) Data Input Validation Testing (Running tools such as; SQLMap, fimap, Arachni, XSSer)

  • Injection
    • Test for HTML Injection
    • Test for SQL Injection
    • Test for LDAP Injection
    • Test for ORM Injection
    • Test for XML Injection
    • Test for XXE Injection
    • Test for SSI Injection
    • Test for XPath Injection
    • Test for XQuery Injection
    • Test for IMAP/SMTP Injection
    • Test for Code Injection
    • Test for Expression Language Injection
    • Test for Command Injection
    • Test for NoSQL injection


    • Test for Reflected Cross Site Scripting
    • Test for Stored Cross Site Scripting
    • Test for DOM based Cross Site Scripting
    • Test for Cross Site Flashing
    • Test for Overflow (Stack, Heap and Integer)
    • Test for Format String
    • Test for incubated vulnerabilities
    • Test for HTTP Splitting/Smuggling
    • Test for HTTP Verb Tampering
    • Test for Open Redirection
    • Test for Local File Inclusion
    • Test for Remote File Inclusion
    • Compare client-side and server-side validation rules
    • Test for HTTP parameter pollution
    • Test for auto-binding
    • Test for Mass Assignment
    • Test for NULL/Invalid Session Cookie
    • Test for integrity of data
    • Test for the Circumvention of Work Flows
    • Test Defenses Against Application Mis-use
    • Test That a Function or Feature Cannot Be Used Outside Of Limits
    • Test for Process Timing
    • Test for Web Storage SQL injection (HTML5)
    • Check Offline Web Application
    • Check Web Applications Defence against multiple attack vectors and networks

9) Denial of Service Testing (Running tools such as; benchmark tools / DDoS planning / brute force tools)

  • Test for anti-automation
  • Test for account lockout
  • Load handling tests
  • Test for HTTP protocol DoS
  • Test for SQL wildcard DoS

We also provide additional services such as web application hardening, and often we work with developers post testing to ensure your application is secured as per our report recommendations.

What is Application hardening?

Applications are often the most difficult part of an organisations IT Infrastructure to secure because of their complexity and dynamic nature when needing to accept input from a variety of users. You also have the added problem in that the application could be proprietary or ‘closed source’ preventing you from locking down the code or applying a patches should you notice vulnerabilities or attacks against the software, and you are reliant on the vendor to issue a fix.

Web Application Hardening Process

  1. We will assume all installed applications are flawed, and the code implemented is vulnerable to attack
  2. Remove any services operating on the application operations system platform that are not needed.
  3. Add restrictions to the application on a user privilege level, adding an extra layer of authentication before the application can be accessed
  4. Subscribe to bug track and security bulletins from the application vendors to ensure all updates are applied in a timely manner
  5. Internally developed applications will be assessed for code security weaknesses
  6. Keep the application inside a virtual platform to provide an extra layer of security protection.
  7. Keep external facing web applications with real world access, locked down by additional Network Intrusion Detection and Prevention Systems, and if possible run these applications in their own DMZ, and virtual environment.
  8. Document all application changes, and maintain version control alongside change management policies
External Resource: Learn more from Wikipedia about Web Application Security and the common threats we can detect and help you fix.
Ready to put your web application to the test?

Call us now to discuss your web application penetration testing requirements.

Phone Us: +44 (0) 207 0439 349 
Alternative Contact Information