Application Penetration Testing

inner_page-icon

Application Penetration Testing

An application penetration test focuses on the application layer of the application in scope.

The objective is to identify security weaknesses that could be exploited by motivated malicious individuals to gain unauthorised access to systems or data.

A range of security tools, both open source and commercial are used in combination with manual inspection to ensure extensive coverage of systems in scope. Application penetrating testing in particular involves extensive manual testing performed through the use of local web proxies that our consultants use to intercept and manipulate data to and from the application.

Our Web Application testing methodology is based on the OWASP Top Ten but also goes above and beyond this to incorporate many bespoke testing methodologies that our consultants have designed over many years of carrying out these types of test.

GRC3D examines what is predominantly accessed over HTTP or HTTPS and attempt attacks that the traditional network firewall isn’t designed to protect against. Whilst some automated tools can find some issues, no web application can be reliably and fully tested using automated tools only and they require testing by experienced consultants.

Depending on the application, we perform appropriate testing in the following areas:

  • Authentication and Authorisation
  • Account and Session Management
  • Cross Site Request Forgery (CSRF)
  • Encryption
  • SQL and Script injection attacks
  • Meta character stripping
  • Parameter tampering
  • Forceful browsing
  • Form posting vulnerabilities
  • Character bounds checks
  • Buffer overflow checks
  • Cross-site scripting
  • Source code disclosure
  • Back doors and debugging options
  • Third-party mis-configurations and insecure default configuration settings
  • Known software vulnerabilities
  • Code Reviews