Why Perform A Web Application Security Assessment?
Websites are now an essential business tool, not only as a means of generating revenue, but also for connecting employees, customers, and partners around the world. Through this same medium,
however, highly sensitive data can be compromised. There are an astounding number of overlooked vulnerabilities in today's Web applications. These anomalies provide attackers with gateways to your
information, thus jeopardizing your livelihood and potentially tarnishing your reputation as a trusted partner.
Maintaining and ensuring the security of a Web application can be a complicated process, With proper guidance, however, workable solutions are within reach. Using a wide array of custom and
commercial tools, our assessments provide insight into root causes and suggest suitable means of addressing them.
The objective of an application security test is to assess the security of the web based application which may be used to share information and/or provide services to its business partners,
clients, and employees in order to suggest solutions for improving existing security practices.
Application security solutions consist of simulated attacks against Web-based environments, specifically focusing on application-based vulnerabilities and interconnecting middleware packages.
The Priosec Application Security Testing methodology contains discovery and penetration procedures aimed at exploiting weaknesses in web based applications. A portion of the methodology is
comprised of the following activities:
Phase One: Preperation Work
In this phase the Priosec toolkit is updated to reflect the current state-of-the-art technologies and practices in application testing. New tools are tested and reviewed in a controlled
environment and any gaps revealed during Tool testing are analyzed and resolved.
Phase Two: Reconnaissance
The objective of this phase is to gain an understanding of how the application functions and to identify interconnecting application middleware packages and their associated security
Priosec will collect as much information as possible about the target application and the technologies that house it. The project team begins by collecting detailed information about the target
application through the use of a variety of application and network scanning techniques and tools. We attempt to identify potential risks and determine where successful attacks would likely
Phase Three: Application Security Testing
Testing here focuses on the application's custom components. Testing in this phase is assumed that the attacker cannot compromise the server itself and is required to face the application
Issues identified during this phase are specific to the programming practices of associated application developers.
The point of Application Interrogation is to attempt to manipulate the functionality of the application so that it either performs undesirable processes (such as freely obtaining merchandise
via online ordering) or directly compromises the server itself through the web application.
Some examples of attacks would include:
- SQL and command Injection;
- Cross-Site scripting;
- Directory traversals and indexing;
- Meta-character vulnerabilities such as format string issues;
- Null injections
- Obtaining usernames on the system – this could be as simple as reviewing error messages from the login screen;
- Brute forcing passwords for obtained usernames;
- Guessing temporary username/password combinations;
- Session replay or hijacking attacks;
- Session manipulation attacks; and
- Applying statistical correlation techniques to analyze the effectiveness of session Id randomness, which could then be used to hijack newly authenticated users.
Once testing is complete the project team attempts to exploit vulnerabilities related to application trickery or “logic flaws”. Can for example an attacker modify the price of a purchase
right before his credit card is charged; resulting in owing them money after the purchase is made. Or could an attacker access the admin page by simply typing in the URL and skipping the