Elevate can provide the following Web Application Security Testing Services:
- Web Application Penetration Testing (credentialed, non-credentialed)
- Web API (Application Programming Interface) Penetration Testing
Web Application Penetration Testing
These tests are designed to assess all types of web applications, ranging from static brochureware websites to all-encompassing, transactional e-commerce environments. Elevate focuses on looking at the application logic that has been built into the website and pays attention to any aspect of the environment that allows a user to interact with the web application as well as input any information.
Web Application Penetration Testing will assess an environment for server-side attacks such as SQL injection and Blind SQL injection. In addition, tests will assess an environment for client-side attacks, such as Cross Site Scripting (CSS) exposures which could allow an attacker to manipulate the clients that access your infrastructure. Elevate will assess the design of the web infrastructure, including:
- The use of cookies and login forms
- How the data is encrypted
- The way in which content is displayed
- The error messages that are displayed when invalid pages, commands, or inputs are entered into the environment
Elevate can furnish advice and guidance on how you can improve the security of your web application software. In many instances, we can provide software development services to fix application logic or write input validation controls to protect the environment from malicious Internet users.
In environments where users require credentials to access Web Applications, Elevate frequently recommends running a Credentialed Penetration Testing exercise. Many aspects of a web infrastructure can only be accessed once logged in, and therefore it is prudent to conduct these types of tests as an authenticated user.
Credentialled testing can allow a Penetration Tester to thoroughly assess the security logic implemented within the application itself. For instance – consider the following web application:
Both Mr. X and Ms. Y are standard users. When Mr. X logs in, he should be able to see his data and not Ms. Y’s data. Likewise, when Ms. Y logs in, she should be able to see her data and not Mr. X’s data. By providing Elevate with 2 sets of users’ accounts, (both with the same privilege level) it is possible to assess the application’s access controls that partition one user’s data from another’s.
Web API Penetration Testing
Web API Penetration Testing can be conducted both externally from the internet or Elevate can test internal web services on-site. Each of the major web services technologies REST, SOAP, Swagger, WSDL, WADL, OAuth 2.0, OpenID Connect, JSON, XML, and many more can be tested by our professionals. Web services security testing goes beyond functional testing of making simple web service calls. Testers will use both automated and manual testing techniques to discover a wide variety of possible vulnerabilities.
Similarly to when Elevate is performing Web Application Penetration Testing, where we test for the OWASP Top 10, for API we also follow the same known methodologies, techniques, and procedures to test for the OWASP API Security Top 10 vulnerabilities.