Web Application Penetration Testing

Web application penetration assessments are designed to highlight potential security vulnerabilities within an application based upon a defined threat-model. However, unlike source code reviews or architecture assessments, an application penetration assessment also evaluates integration between components (home-grown or third-party) and the overall deployment configuration. These characteristics of the penetration assessment make it a solid choice for establishing a baseline security assessment of an application that has already been developed and deployed. By performing fault-injection and validating application behavior, it is possible to identify unsafe coding practices in areas including, but not limited to: authentication, authorization, session management, cryptography, error handling, information leakage, data validation, output encoding and language-specific coding issues.

Application penetration assessments, however, are not intended to provide a comprehensive security evaluation, outlining every instance of a given vulnerability; rather, they concentrate on highlighting areas of increased risk exposure and identify vulnerabilities representative of specific components, and validate exploitation possibilities when feasible. Application penetration assessments serve as a cost-effective mechanism to identify a representative set of vulnerabilities in a given application, particularly those which attackers are most likely to exploit, and allow application developers to find similar instances of vulnerabilities throughout the code.

Penetration assessments are often time-boxed, providing clients a fixed-price review of specific application components. In certain situations it may also be advantageous to perform hybrid reviews, or white-box assessments to confirm observed behavior during the penetration test and review critical application security controls such as authentication, access control, session management and cryptography.

Each of VSR's assessments rate common application security controls against industry best practices, identifying both short-term tactical fixes and long-term strategic initiatives to improve the overall security posture of the system.

Our professionals work with you to develop a test plan. VSR provides several application and product security testing options:

IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

Michael Coppola presents Owning the Network: Adventures in Router Rootkits at DEF CON 20 [slides].

HTC IQRD Android Permission Leakage


Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com