Web Application Penetration Testing
Let us safely discover security flaws in your application.
Your clients, your employees, and your reputation could all be at risk. Penetration testing provides peace of mind that your web application is protected. You don’t have to be reactive to malicious intrusions. You can be proactive.
Our engineers have backgrounds in development. We understand and appreciate the time you have already put into your application. We can help you prioritize your next steps. Some will be immediate. Others can be spread out into your normal development schedule.
Security and Compliance Requirements
Some compliance frameworks require regular penetration tests of web applications. Examples of such are PCI, HIPAA, and FFIEC. Alternatively your organization could have controls requiring testing in your security program. Because we also specialize in compliance and assessments, our engineers will ensure your success.
Recent Blog Posts
By: Eric Kobelski, Security Engineer One question that we get consistently is “What exactly is a web application penetration test?”. There are some companies that will run a vulnerability scanner against your application and call that a penetration test, but this is...
NuHarbor performed a web application penetration test and was able to gain access to secure content. We didn’t realize our admin application server was exploitable. Their skilled engineers provided remediation guidance that allowed us to close the vulnerability.
Penetration Testing Checklist
Does the application track users properly? Are systems actively checked?
Is there proper authentication? Do authorization controls apply to users’ actions?
Does the application disclose confidential information? Is the environment providing information that could aid an attacker?
Are user inputs validated and sanitized? Does the application behave independently of input?
Does the application enforce output Encoding? Is there consistent interpretation of the output?
Are there filtering mechanisms? Do they proactively defend against common web application attacks?
Does the web server support the security levels of the encryption ciphers? Are certificates supported on both the server-side and client-side?
Is parameter handling secure? Could the application mishandle authorization information? Could server-side information mistakenly be sent to the user?
Does the application enforce logic flow? Could an attacker control the application flow at will?
Are there cross-site scripting vulnerabilities? Is there proper encoding of user-supplied input?
Does user input construct database queries? Can an attacker craft an input to control queries beyond the programmer’s intent?
Do user inputs construct file paths? Can an attacker craft an input to escape the directory structure of the application?
Is it possible to inject XML tags or modify the XPath query?
Are the application’s certificates current, issued by a trusted authority, in the correct domain name, etc?
Are there instances that result in values above or below the allowable integer value?
Does the application perform proper bounds checking?
Are server-side and client-side components current and secure?