Screen Shot 2015-09-28 at 12.00.33.png


The goal of web application penetration testing is to find through deep manual analysis every security problem, misconfiguration or vulnerability present inside web based applications. This activity is typically carried out in Grey-Box mode and executed with working access credentials in order to simulate an attack conducted by an application malicious user or by an attacker who has stolen working credentials from an authorized application user. The methodology used is compatible with the following standards and guidelines: OWASP Testing Guide v4.

For Web Application Penetration tests the following activities are performed:-

Information Gathering

  • Web Application Finger Printing.
  • Application Crawling.
  • Identification of application entry points.
  • Analysis of Error Codes

Configuration & Deploy Management Testing:

  • Infrastructure Configuration Management Testing
  • Application Configuration Management Testing
  • Testing for File Extensions Handling
  • Old, backup and unreferenced files
  • Infrastructure and Application Admin Interfaces

Authentication Testing

  • Testing for Credentials Transported over an Encrypted Channel
  • User Enumeration and Guessable User Account
  • Testing for default credentials
  • Bypassing authentication schema

Session Management Testing:

  • Bypassing Session Management Schema
  • Testing for Cookie and Session Token Manipulation
  • Testing for Exposed Session Variables
  • Testing for Cookies attributes
  • SessionFixation
  • Cross Site Request Forgery (CSRF)
  • Establishment of multiple sessions with same credentials

Authorization Testing:

  • Directory traversal/file include
  • Bypassing authorization schema
  • Privilege Escalation
  • Insecure Direct Object References
  • Testing for Failure to Restrict access to authorized resource

Business Logic Testing

Data Validation Testing:

  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • Testing for HTTP Verb Tampering
  • Invalidated Redirects and Forwards
  • SQL InjectionLDAP InjectionXML Injection
  • SSI Injection
  • XPath Injection
  • IMAP/SMTP Injection
  • Code Injection
  • Command Injection
  • Buffer overflow

Specific Technologies Testing:

  • Web Services
  • Ajax Testing
  • Client Side Testing
  • In general, the most recent techniques applicable to application context.

View other tests and Reporting