Web Application Testing
Web applications are a key element of contemporary business. In-depth security tests prevent malicious attackers from gaining access to valuable data, bypassing process flow or disrupting the service and underlying business.
Web applications are like doors and windows to your IT systems. They are visible from the outside and connected to internal databases, other IT components and business processes. That makes them an excellent target for a potential attacker, so special attention must be paid to web application security.
According to the latest data* web applications are the attack vector in 90% of all attack incidents.
Web application attacks may result in serious consequences, such as:
- unauthorized access to key resources,
- modification of users’ data,
- personally identifiable data breach,
- serves take-over or blocked access to servers.
It applies to both external facing applications as well as internal ones, available only in a corporate network.
Our approach to web application security testing
The process of application security testing consists mainly of systematic attempts to abuse all application functions. We usually start with threat modeling to identify potential threats. We take into consideration key resources available in applications and we try to define a potential attack target. A list of potential threats and priorities is discussed with a client – this is a starting point for the technical part of security testing. Sometimes threat modeling is not necessary, especially when a customer is able to precisely specify the required scope of security tests.
Such a systematic approach guarantees efficient allocation of time dedicated to security testing and comprehensive coverage of all application functionalities.
Web app testing steps
In typical cases, web application security tests are carried out in the following steps:
- Access to application, user accounts and information about architecture (if grey-box approach is possible).
- Threat modeling – security analysis to determine possible attack methods and most important consequences of a potential attack.
- Defining priorities, assumptions, and dependencies.
- Security testing and hacking attempts. A client is informed about any key vulnerabilities as soon as possible.
- Test result aggregation and report preparation.
- Consultancy on ways to eliminate identified vulnerabilities.
- Verification of proper vulnerability removal.
The result of security tests is a detailed report. It consists of an executive summary, detailed description of all vulnerabilities and proposed improvements. We can also verify compliance with OWASP ASVS (Application Security Verification Standard).
- Frameworks: Angular, ASP.Net, Django, Laravel, Node.js, Play, React.js, Spring, Struts, Symfony, Wicket…
- API: REST, SOAP, GraphQL…
- Databases: MySQL, Oracle, Microsoft SQL Server, MongoDB, PostgreSQL, SQLite…
- Authentication: 2FA, biometry, JSON Web Token, LDAP, OAuth…
- CMS: Drupal, Joomla, Shopify, WordPress…
- Architectures: client-server, microservices, serverless, SaaS (including multi-tenant), SPA..
- Protocols: HTTP, HTTPS, WebSocket, and other nonstandard ones.
“We believe that the key to effective security testing is a thorough understanding of application processes and technologies. That’s why we are constantly developing our skills and tracking recent attacks and defence methods.“
Web application testing contributes to compliance with DORA principles. It aligns with DORA’s focus on securing software components.
How to get a quote for your project?
Book a call or write to us to get a quote for application security testing. Each application is different. You will receive a set of questions that will help us estimate workload and needed skills, based on which we will prepare an offer. If needed, we will contact you to discuss your specific needs, application functionality, and a broader context to guarantee that the results of security testing will have the best possible value for you.
* – source: Verizon Data Breach Investigations Report 2022 https://enterprise.verizon.com/resources/reports/dbir/