Website & Application Vulnerability Testing
A Web Application Vulnerability Test (Web AVT) or an Application Vulnerability Test (AVT) is the most thorough application testing that SystemExperts performs. The only difference in methodology is that a Web AVT is conducted remotely against a website from the Internet where as an AVT is typically conducted on-site.
Web application vulnerability testing is intended to answer clear business questions:
- Are the website, webserver, and back-end services reasonably secure as configured and deployed?
- Are there readily found exposures that an intruder could take advantage of without having to log in?
- Can an unauthorized rogue user access data intended only for authorized users?
- Can an authorized user perform inappropriate actions on his own account?
- Can a user obtain any information about the accounts of other users?
- Can a user perform any actions on the accounts of other users?
Web AVT & AVT Methodology
A team of consultants spends an agreed upon amount of time (typically ten consulting days, but sometimes 5 days or even 3 days depending on budget constraints and site complexity) assessing the platform associated with the customer’s application as a skillful attacker and documenting their findings and recommendations. During the analysis, the consultants look to exploit deficiencies in the application or web pages themselves, to escalate privileges, access other network systems or services, or identify instances where customer-private data may be exposed.
We test two primary scenarios: as a determined intruder with no credentials and as a legitimate authenticated user with a valid User ID and password.
During this testing, the consultants focus on finding exposures in the web or application server and the application; they look for weaknesses, technical flaws, or vulnerabilities. The consultants access the services using standard web mechanisms (such as a browser, browser proxy, and generating standard HTTP requests) or thick client technologies and try to determine whether the application properly limits their activities or whether they can inappropriately escalate their capabilities.
The objective of the analysis is to develop a general sense of the level of security exposure and risk in the web infrastructure and web application. Most problems discovered can be attributed to poor configuration of the web server, weak authentication, authorization, or access control mechanisms, improper session management, insufficient input validation, or general business logic flaws. Our methodology is structured to find as many different types of problems during the allotted testing period, rather than getting stuck on every instance or variant of a discovered problem.
SystemExperts’ testing methodology includes elements from several established testing models including: National Institute of Standards and Technology Special Publication 800-42 “Guideline on Network Security Testing,” Open Source Security Testing Methodology Manual (OSSTMM), Payment Card Industry Data Security Standard (PCI/DSS), Open Web Application Security Project “OWASP Testing Guide v4,” and OWASP Top 10.
At the conclusion of the testing portion of the project, SystemExperts prepares a concise Web AVT or AVT report (approximately 12-20 pages) that outlines our findings, specific steps to reproduce each finding (including screenshots and supporting data) and recommendations to remediate each finding.
Website Security Review (WSR)
SystemExperts offers a Website Security Review (WSR) as an alternative to a full blown Web AVT. It is a simpler, lower cost option appropriate for sites that do not require user authentication or where budget constraints put the more thorough Web AVT out of reach.
The objective of the WSR is to develop a general sense of the level of security exposure and risk in the web front-end infrastructure and associated web application. This type of testing is also intended to answer clear business questions:
- Is the website reasonably configured and deployed? (e.g., Do default web server administrative interfaces allow a user the opportunity to deface the webpage?)
- Are there readily found exposures that an intruder could take advantage of without having to log in? (e.g., Does poor form input validation allow an attacker to execute an injection exploit like cross-site scripting or SQL command injections?)
One SystemExperts consultant spends an agreed upon amount of time (typically one to three consulting days) assessing the designated website as a skillful attacker on the Internet and documenting his findings and recommendations.
During the WSR the consultant evaluates the website and its content without any login credentials, accessing the site from the Internet, with no prior information about the web host or web server. He performs this work using public domain and custom tools, and spends some time manually reviewing the site attempting to identify possible exposures or vulnerabilities. He then validates the results and documents the findings.
At the conclusion of the project, the consultant prepares a concise WSR report (approximately 2-5 pages) that outlines his findings and recommendations.
Learn more about Web AVT, AVT and WSR Testing
Contact SystemExperts to learn more about our web application and website vulnerability testing services.