Web applications provide a mechanism for direct interaction between Internet users and the trusted infrastructure. Many in-band attacks are possible against web applications that cannot be detected or stopped by normal firewall technology.
The threat for web penetration testing is an unauthorised outsider attempting to gain access to confidential data, or an authenticated user attempting to escalate their level of authorisation in order to access data or systems.
The goal of the simulated attacker performing a web penetration test is server or database level access to the web server, or access to authorised features of the application. Attacks may be performed on any web page, web service or exposed API.
The testing follows a structured approach consistent with the current OWASP methodology.
Testing includes the following layers of the network model:
- Network
- Transport
Methodology for the testing is:
- Information gathering
- Scanning & enumeration
- Transport Security Testing
- Session Management Testing
- Authentication Testing
- Authorization / Business Logic Testing
- Input Validation Testing
Upon identifying any weaknesses within your system DMA will provide you with a report detailing all of the vulnerabilities which have been identified within your system, categorising them by their risk and offering suggested remediation activities which should occur. These remediation activities can be completed by your organisation or DMA’s services can be enlisted to assist.