Web pentest, security audits of Web platforms, APIs, servers

Aim of a Web pentest

Web applications are always a particularly vulnerable part of information systems, due to their level of exposure to attacks and the lack of awareness of development teams observed in many companies.

The purpose of a Web pentest is to assess the robustness of your Web platform: servers, front/back office applications, Web services and APIs. The result is an operational report that enables developers to correct the identified security flaws. For software publishers who wish to provide deliverables to their clients or partners, Vaadata can produce a second report certifying that the security flaws have been corrected.

The scope of a Web security audit is to be defined according to the desired aim:

What must be included in the pentest and must be excluded from the pentest? (Web application, APIs, third-party services, showcase site, etc.)
What is the required level of detail: search for so-called major vulnerabilities or search for all vulnerabilities?
What is the level of risk to be tested: test only external attacks (black box penetration testing) or also attacks from a user account (grey box penetration testing)?
Must certain types of specific tests be incorporated? (social engineering, etc.)

Stages of a Web security audit

The first stage is the definition of the scope of the pentest. During this essential stage, the pentesters are briefed on the objectives of the audit, the elements to include in the pentest, the conditions of the pentest, and the client’s particular requests.

During the audit preparation phase, the technical conditions are set up: choosing dates, setting up the target, forwarding information and creating test accounts, if necessary, validating the communication plan in the event of emergency.

At the start of the audit, the pentest team contacts the technical team responsible for the Web platform to be audited. In most cases, the pentesters perform the audit from Vaadata’s offices. The results are returned only when the audit is completed, unless the client specifically requests otherwise (choice of a real-time reporting option).

Ask for a quotation

Web application penetration testing

Vaadata looks for vulnerabilities related to features, implementation and use of third-party components, the server and its various services, security configurations, etc.

Tests may focus only on technical elements or may also include social engineering.

Web servers penetration testing

Penetration tests of Web servers focus on finding vulnerabilities specific to the configuration of the infrastructure that hosts the services. Examples of common vulnerabilities:

Open and poorly protected services
Software that is not updated (operating system, FTP, etc.)
Security elements that can be bypassed
Configuration errors

Penetration testing of the application layer

Penetration testing of the application layer accounts for most of the audit. Examples of common security flaws:

Injection flaws (notably SQL and commands)
Vulnerabilities in management of authentication and of sessions
Exposure of sensitive data
Lack of access control
Cross-Site Scripting (XSS)

The application pentest includes the search for technical and logic flaws (related to the workflow). Logic flaws exist when the normal operation of an application, a logic stage or the intended process can be bypassed or avoided.

Our white paper "How to define the scope of a pentest" gives you clues to define the scope and a pentest strategy. It brings together the key points resulting from our discussions with around 200 companies.

Download

Injection flaws

Concerning injection flaws, SQL injection (SQLi) is the best known. An SQL injection flaw allows you to interact with the application database, from unplanned requests.

However, many types of injection are possible: XPath injections, HTML, commands, logs, etc. Exploitation of injection flaws can lead to data loss, denial of service, or even taking control of the system. Therefore, the impact of these vulnerabilities can be severe.

Further information on injection flaws.

Server Side Request Forgery - SSRF

An SSRF is a type of vulnerability which allows attackers to abuse the functionalities of a server, enabling them to access or manipulate information that otherwise would not be directly accessible.

This ability to send requests to other systems may allow the attackers to use the target server as a proxy, either against external targets or even internal targets, which then lose the protection provided by their network.

Further information on the SSRF vulnerability and its potential impact.

Key numbers

Malware and Web-based attacks continue to be the most expensive attack types.
2019 The Cost of Cybercrime. Ponemon Institute. (p. 17).

+56%

Web Attacks on endpoints increased by 56% in 2018.
2019 Internet Security Threat Report. Symantec. (p. 47)

+23%

API vulnerabilities increased by 23% between 2017 and 2018.
The State of Web Application Vulnerabilities in 2018. Imperva.

Our range of pentests

We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.