Web application penetration testing

Penetration testing of Web applications involves identification of security weaknesses and vulnerabilities caused by insecure coding practices, misconfiguration and bugs. It is usually performed on a test instance of the application but can also be performed on the live instance in certain cases. The penetration testing process involves analysing, modifying and creating specially crafted HTTP requests to identify and exploit any vulnerabilities that may exist in the application and usually covers at least the following Top 10 areas of risk as identified by the Open Web Applications Security Project (OWASP):

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting (XSS)
  4. Insecure direct object references
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access control
  8. Cross-site request forgery (CSRF)
  9. Using components with known vulnerabilities
  10. Unvalidated redirects and forwards

We have tested a wide variety of Web applications, including applications such as online payments, insurance policy management, confidential communication services, scientific data management and financial modelling.