Application Security Assessments - Priosec

By: Priosec  09-12-2011
Keywords: Security, Security solutions, Application Security

Why Perform A Web Application Security Assessment?

Websites are now an essential business tool, not only as a means of generating revenue, but also for connecting employees, customers, and partners around the world. Through this same medium, however, highly sensitive data can be compromised. There are an astounding number of overlooked vulnerabilities in today's Web applications. These anomalies provide attackers with gateways to your information, thus jeopardizing your livelihood and potentially tarnishing your reputation as a trusted partner.

Maintaining and ensuring the security of a Web application can be a complicated process, With proper guidance, however, workable solutions are within reach. Using a wide array of custom and commercial tools, our assessments provide insight into root causes and suggest suitable means of addressing them.

The objective of an application security test is to assess the security of the web based application which may be used to share information and/or provide services to its business partners, clients, and employees in order to suggest solutions for improving existing security practices.

Application security solutions consist of simulated attacks against Web-based environments, specifically focusing on application-based vulnerabilities and interconnecting middleware packages.

The Priosec Application Security Testing methodology contains discovery and penetration procedures aimed at exploiting weaknesses in web based applications.  A portion of the methodology is comprised of the following activities:

Phase One: Preperation Work

In this phase the Priosec toolkit is updated to reflect the current state-of-the-art technologies and practices in application testing. New tools are tested and reviewed in a controlled environment and any gaps revealed during Tool testing are analyzed and resolved.

Phase Two: Reconnaissance

The objective of this phase is to gain an understanding of how the application functions and to identify interconnecting application middleware packages and their associated security anomalies.

Priosec will collect as much information as possible about the target application and the technologies that house it.  The project team begins by collecting detailed information about the target application through the use of a variety of application and network scanning techniques and tools. We attempt to identify potential risks and determine where successful attacks would likely focus.

Phase Three: Application Security Testing

Testing here focuses on the application's custom components.  Testing in this phase is assumed that the attacker cannot compromise the server itself and is required to face the application front end.

Issues identified during this phase are specific to the programming practices of associated application developers.

The point of Application Interrogation is to attempt to manipulate the functionality of the application so that it either performs undesirable processes (such as freely obtaining merchandise via online ordering) or directly compromises the server itself through the web application.

Some examples of attacks would include:

  • SQL and command Injection;
  • Cross-Site scripting;
  • Directory traversals and indexing;
    Buffer overflows;
  • Meta-character vulnerabilities such as format string issues;
  • Null injections
  • Obtaining usernames on the system – this could be as simple as reviewing error messages from the login screen;
  • Brute forcing passwords for obtained usernames;
  • Guessing temporary username/password combinations;
  • Session replay or hijacking attacks;
  • Session manipulation attacks; and
  • Applying statistical correlation techniques to analyze the effectiveness of session Id randomness, which could then be used to hijack newly authenticated users.

Once testing is complete the project team attempts to exploit vulnerabilities related to application trickery or “logic flaws”.  Can for example an attacker modify the price of a purchase right before his credit card is charged; resulting in owing them money after the purchase is made.  Or could an attacker access the admin page by simply typing in the URL and skipping the authorization page?

Keywords: Application Security, Security, Security solutions

Other products and services from Priosec


Reporting & Risk Management - Priosec

Understanding how your technical teams work with respect to corporate policies and guidelines further assists us in delivering to you a report that contains issues and risk ratings that relate directly to your business practices and objectives.


Penetration & Vulnerability Assessments - Priosec

Vulnerability analysis involves conducting a high-level vulnerability scan of target environments and identifying security holes in operating systems, network appliances, and firewalls. Given the realities of conducting business in the digital age, finding security flaws before someone else does can save significant time and money.


Services - Priosec - Ethical Hacking, Vulnerability Assessments, Penetraton testing and Web Application Security

The required technical expertise to do so is not lacking at most security firms, however technical proficiency is only a fraction of what an effective consulting team has to offer. Equally important is the ability to assess the greater business environment in which an organization operates and factor in all related variables in the assessment process.