Web Application Penetration Testing
Netragard guarantee’s that its Network Penetration Testing services will produce deliverables that contain absolutely no false positives and are likely to identify vulnerabilities that can not be identified with conventional testing methods. If any Netragard Penetration Testing deliverable contains false positives then your next Penetration Test of identical scope and size will be done free of charge.
Web Applications Defined
A Web Application is any program that can be accessed through a web server (like Apache, IIS, etc.) but not necessarily with a web browser (like Firefox, Internet Explorer, Safari, etc). Examples of Web Applications include online banking portals, websites that are managed by Content Management Systems (like Joomla, Mambo, WordPress, etc.), e-commerce websites, subversion (aka svn), Web Services, etc. Web Applications are most commonly delivered through websites but not always.
Web Application Penetration Testing Services
Netragard’s Web Application Penetration Testing services are derived from the the Open Web Application Security Project (OWASP) and heavily augmented by Real Time Dynamic Testing. OWASP is the de facto standard for designing and testing secure web applications. Netragard focuses on key areas of OWASP that include but are not limited to the following:
Netragard will classify the information being protected and compare the authentication mechanism(s) to the sensitivity level of that information. During this part of the assessment Netragard will attempt to find weaknesses in the authentication mechanisms and if possible exploit those weaknesses. Netragard will also verify that the authentication methods that are in place are sufficient for protecting the type of information being protected. Certain key items such as re-authentication for gaining access to different levels of information will also be considered as a part of this assessment.
Netragard will assess the Authorization controls of the web application to ensure that only authorized users can perform allowed actions within their privilege level, to control access to protected resources using decisions based upon role or privilege level, and to identify areas where privilege escalation attacks may be possible. Netragard will pay close attention to the following COBIT Topics: DS5 as outlined by OWASP.
BUSINESS LOGIC TESTING
Netragard will assess the business logic of the web application. Business Logic Testing is unconventional as it attempts to disrupt the logic of an application. For example, it the application’s authentication process is set to follow steps 1, 2 and 3, Netragard will disrupt that flow and force the application to skip a logic step. In many cases this results in an error that can sometimes be exploitable.
Netragard will assess the Session Management capabilities of the target to ensure that authenticated users have a robust and cryptographically secure association with their session, to enforce authorization checks where appropriate, and to identify points where common web attacks may exist. Netragard will pay close attention to the following COBIT Topics: PO8 and PO8.4 as outlined by OWASP.
Netragard will assess the target to ensure that it is sufficiently robust to protect against all forms of input data, whether obtained from the user, infrastructure, external entities, or database systems. Netragard will pay close attention to the following COBIT Topics: DSS11 as outlined by OWASP.
Netragard will assess the target to ensure that it is sufficiently robust to protect against well-known perimeter manipulation attacks that affect common interpreters. These types of attacks are most often Immediate Reflection attacks. An example of this type of attack would be encouraging/forcing a user to click on a URL that would then activate or otherwise manipulate an account. Stored attacks will also be evaluated which involve injection at a previous time whereupon users are affected at a later date.
CANOCALIZATION, LOCALE and UNICODE
Netragard will assess the target to ensure that it is sufficiently robust when subjected to encoded, internationalized and Unicode input. Often times these types of inputs are overlooked when creating a Web Application which enables attackers to manipulate Web Applications by using different types of encoding techniques. Netragard will pay close attention to the following COBIT Topics: DS11.9 as outlined by OWASP.
ERROR HANDLING, AUDITING and LOGGING
Netragard will assess the Error Handling, Auditing and Logging capabilities of the target. More specifically Netragard will ensure that all activities which affect the state or balance of the system are formally tracked, that it is possible to determine where an activity occurs in all tiers of the application, and that logs cannot be tampered with by local or remote users. Netragard will pay close attention to the following COBIT Topics: DS11, DS11.4, and DS11.8 as outlined by OWASP.
Netragard will assess the File System protection mechanisms that are in place to ensure that access to the local file system or any of the file systems are sufficiently protected from unauthorized manipulation or data viewing. Netragard will pay close attention to the following COBIT Topics: DS11, DS11.9, and DS11.20 that are outlined by OWASP.
Netragard will assess the target for Buffer Overflow vulnerabilities to ensure that the target does not expose itself to faulty components. These vulnerabilities often times enable attackers to compromise the system and eventually gain administrative levels of access to the system. Netragard will pay close attention to the following COBIT Topics: DS11.9
Netragard will assess the Administrative Interfaces for the target to ensure that administrative level functions are properly segregated from user activity, that users cannot access or utilize administrator functionality, and to ensure that the interfaces provide the proper auditing and tracking functions. Netragard will pay close attention to the following COBIT Topics: PO4 – 4.08, 4.10 as outlined by OWASP.
Netragard will assess the Cryptographic capabilities of the target to ensure that data is stored and transmitted in the safest possible manner with respect to the applications functions and requirements. Netragard will pay close attention to the following COBIT Topics: DS5.18 as outlined by OWASP.
Netragard will assess the configuration of the target to ensure that no configuration vulnerabilities exist. Netragard will also assess the configuration of the target to ensure “out of box” security should the target be re-deployed, or replicated. During this stage of the Assessment Netragard will also target database security and retarget secure information transmission. Netragard will pay close attention to the following COBIT Topics: DS6 as outlined by OWASP.
DENIAL OF SERVICE ATTACKS
Netragard will assess the target to ensure that it is not vulnerable to Denial of Service Attacks. Examples of these attacks would be Excessive CPU Consumption, Excessive Disk I/O Consumption and Excessive Network I/O Consumption.
Web Application Risks
Over 80% of all compromises are the result of exploited web application vulnerabilities. In many cases the vulnerabilities that result in compromise are entirely missed by conventional testing methodologies (especially methodologies that are dependent on automation). In other cases vulnerabilities are identified but are incorrectly assumed to be non-exploitable due to coding standards and / or protective technologies. For example, a common misconception is that one can use parameterized queries to eliminate all sql injection vulnerabilities. The truth is that if the parameterized queries are not constructed properly then exploitation is often still possible. Another misconception is that Web Application Firewalls protect web applications from attack. The truth is that Web Application Firewalls only defend against attacks that they are programmed to detect but are ineffective at protecting against new attack methodologies..
The biggest risk that an organization can face is assuming that they are secure when in fact they are vulnerable.
Netragard’s reporting process is outlined here in detail.
Please contact us for a quote.