Web App Penetration Testing

Web app penetration testing is laser-focused on helping partners secure their customers' Internet-facing web applications. PriorityOne will evaluate the implementation of security controls for web applications by simulating real-world attacks.

The exploitation phase of web application penetration testing differs from internal/external penetration testing. PriorityOne will specifically attempt the following methods of exploitation: SQL injection, cross-site scripting, user context switching, directory traversal, and cookie handling.

PriorityOne uses the Open Web Application Security Project (OWASP) Top Ten framework as a guide to all of our web application penetration tests. OWASP is an open community meaning it receives input from small and large organizations in just about every vertical market. The community's goal is to help organizations develop and maintain web applications that can be trusted. The current Top Ten vulnerabilities facing web applications are:

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

Because PriorityOne cares about keeping your customers safe, we'll work with them to ensure that a risk mitigation plan is in place prior to any testing efforts.

Our structured approach follows the steps below.

Planning
Defining the scope, rules of engagement, scheduling, communication planning, and acceptance criteria.

Discovery
Information gathering that will be used for the attack. Potential targets, vulnerabilities, and exploits are identified. Discovered assets are compared against known vulnerability databases to aid in penetration testing efforts.

Attack
Exploitation of targets based on discovered information. We'll use a combination of manual and automated techniques, scripts, and toolkits to circumvent security controls.

Reporting
Documentation of successful exploits and their corresponding vulnerabilities and assets.

After web application penetration testing is complete, a PriorityOne security engineer will consult with your customer on application security. Consulting will cover how to best secure sensitive data on the web application backend database.

PriorityOne's web application penetration testing service will help you customers comply with the following regulations:

  • PCI Requirement 11.3.1

  • New York State Department of Financial Services 23 NYCRR 500 §500.05(a)(1)

  • Gramm-Leach-Bliley Act §501(b)

  • Federal Trade Commission 16 CFR Part 314