Web Application Security Assessment

Web Application Security Assessment

Providing comprehensive Web Application Security Testing services

The number of US businesses transacting on-line is at an all-time high. Whether it is on-line retailers selling direct to consumers, or businesses providing extranet type services to their trading partners, there is a growing trend to bring more and more functionality to the Internet browser.  Elevate provides comprehensive WEB APPLICATION Security Testing services. We provide PENETRATION TESTING services that assess e-commerce, B2B and CLOUD-BASED services through to Web Service XML feeds and MOBILE DEVICE applications. Our team of consultants are industry recognized experts, developing both cutting edge approaches for security testing as well as optimized mechanisms for securing your mission critical business data

Elevate can provide the following Web Application Security Testing Services:

  • WEB APPLICATION TESTING
  • WEB SERVICES TESTING
  • OWASP TOP 10

Web Application Testing

Web Server Tests are designed to assess all types of web server, ranging from static brochure ware websites to all-encompassing transactional e-commerce environments. Elevate focuses on looking at the application logic that has been built in to the website, and pays particular attention to any aspect of the environment that allows a user to enter input.

Web Server tests will assess an environment for server side attacks such as SQL injection and Blind SQL injection. In addition tests will assess an environment for client side attacks, such as Cross Site Scripting exposures which could allow an attacker to manipulate the clients that access your infrastructure. Elevate will assess the design of a web infrastructure, including the use of cookies and logon forms, as well as the way in which data is encrypted, the way in which content is displayed, and the error messages that are displayed when invalid pages, commands or input is entered in to the environment.

Elevate can provide advice and guidance on how you can improve the security of your web application software. In many instance, we can provide software development services to fix application logic or write input validation controls to protect the environment from malicious Internet users.

Web Service Testing

Conducted over the Internet. Designed to test your external Internet services, including Firewalls, Routers, Web Servers Mail Servers etc. Simulates an Internet based attacker.

OWASP Top 10

The OWASP top 10 is a list of the most common types of security issues that impact web applications. It is referenced by many security standards including PCI DSS, DISA, MITRE, FTC and more. All of Elevate’s Web Application Penetration Testing engagement cover the OWASP top 10. In addition, Elevate goes deeper to assess the fundamental application logic whilst also assessing the access controls that deliver security roles and user partitioning. Elevate also pulls in information from external sources such as Facebook, LinkedIn and Twitter, to provide social engineering and authentication based attacks vectors. Combining these approaches together provides customers with a much more holistic approach to Web Application Security Testing.

Elevate carries out Web Application Test to assess the following elements of the OWASP top 10.

A1: Injection

Injection flaws, such as SQL, XPATH, OS and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. An attacker can use these vulnerabilities to trick interpreters into executing unintended commands or accessing unauthorized data.

A2: Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in a victim’s browser which in turn can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A3: Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

A4: Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5: Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A6: Security Misconfiguration (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A7: Insecure Cryptographic Storage

Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers often try to steal or modify these types of data to conduct identity theft, credit card fraud, or other similar crimes.

A8: Failure to Restrict URL Access

Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

A9: Insufficient Transport Layer Protection

Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

A10: Unvalidated Redirects and Forwards

Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

The OWASP Top 10 is a strong starting point for Web Application testing, but organisations should really look to go beyond this. The underlying application logic needs to be tested. Web sites need to be assessed with different classes of users, to ensure that appropriate partitioning and access controls exist. Content Management Systems and administrative functions should be assessed and a series of broader controls should be reviewed and tested.

Black Box Testing

The intention of a Black Box test is to simulate the behavior of an Internet Hacker that starts off with limited information about the infrastructure he or she wishes to compromise. All enumeration is therefore based around information that can be found publicly through the Internet and public information forums.

During a Black Box Penetration Test, Elevate will scour news and chat rooms looking for information about the client’s people and infrastructure. Elevate will query social websites such as Facebook, LinkedIn and twitter to try and find information about the people that work within the client environment. Elevate will query Internet registries, DNS, Mail & hosting providers to extract information that could be used as part of the Penetration Testing engagement. Elevate will try to enumerate people, processes, partners and technologies that ultimately come together to influence an organizations IT infrastructure.

Black Box Penetration Testing is a very popular approach to assessing an organizations information security posture. In most instances, it tends to be a relatively straight forward process to enumerate an external infrastructure using publicly accessible material. Elevate recommends that Black Box testing alone does not provide a complete snapshot of an organizations security weaknesses. Although it may yield similar results to that of an Internet based hacker, organizations face many other security threats from trading partners, suppliers, competitors and employees that do have relevant information about the organization that could be used in a more structured attack. For instance, trading partners may have been granted login credentials to access a procurement or stock management system. Using these credentials, a rogue employee at one of these trading partners could initiate an attack that would not ordinarily be identified within a Black Box testing engagement.

White Box Testing

It is important for organizations to identify where their Risk and Threat emanates from. If they perceive it comes from employees, customers or trading partners it may be beneficial to conduct a White box Penetration Test. Employees, Customers and Trading Partners have knowledge about your Information Assets. They may know that you have an Intranet or Extranet site, and they may also have credentials that allow them to log in to them. They may know employees who work within the organization, the management structure, applications that runs within the environment, as well as the organizations overall approach to risk, threat and Information Security as a whole. All of this information can be used to launch more targeted attacks against an infrastructure, which may not be identified as part of a Black Box testing engagement.

In environments where users require credentials to access Web Applications, Elevate frequently recommends running a White box Penetration Testing exercise. Many aspects of a web infrastructure can only be accessed once logged in, and as a consequence it is prudent to conduct these types of tests as an authenticated user.

White box testing can allow a Penetration Tester to thoroughly assess the security logic implemented within the application itself. For instance – consider the following web application.

Both Mr. X and Ms. Y are standard users. When Mr. X  logs in, he should be able to see his data and not Ms. Y’s data. Likewise, when Ms. Y logs in, she should be able to see her data and not Mr. X’s data. By providing Elevate with 2 sets of users accounts, (both with the same privilege level) it is possible to assess the application’s access controls that partition one users data from another’s.