Web Application Security Assessment

Web Application Security Assessment

As more organizations are relying on web applications to engage in day-to-day business operations and interact with the public, web applications have become a common gateway for experienced cyber attackers to exploit sensitive information. This technology often leaves many organizations vulnerable to attacks because of the failure to anticipate the need for security tantamount to enterprise-wide controls. For this reason, a web application security assessment is important to any organization that utilizes this technology to interact with their clients and vendors.

Consumer demand for immediate information guarantees that this platform will grow exponentially. Forward thinking organizations are able to deliver these features using secure methods because they employ testing prior to launch and incorporate security throughout the roll-out of these services.

A web application security assessment can be performed on internally or externally accessible web applications. The web application, either “out-of-the-box” or custom made, will be reviewed for the most common and critical vulnerabilities known today, based on sources such as the Verizon Data Breach Investigation Report (VDBIR) and the OWASP Top 10.

A web application security assessment includes an examination of web application configurations, users and groups, permissions, access controls, password resets, password strength, injection vulnerabilities, account and session controls, and user enumeration.

Specific checks in a web application security assessment include the following:

  • Authorization Testing
    • Directory Traversal/File Include
    • Bypassing Authorization Schema
    • Privilege Escalation
    • Insecure Direct Object References
  • Session Management Testing
    • Cookies Attributes
    • Session Fixation
    • Exposed Session Variables
    • Cross Site Request Forgery
    • Logout Functionality
    • Session Timeout
  • Data Validation Testing
    • Reflected Cross Site Scripting
    • Stored Cross Site Scripting
    • HTTP Verb Tampering
    • HTTP Parameter Pollution
    • SQL Injection
    • Local File Inclusion
    • Remote File Inclusion
    • Command Injection
    • Buffer Overflow
  • Error Handling
    • Error Code Analysis
  • Cryptography
    • Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
    • Padding Oracle
    • Sensitive Information Sent Via Unencrypted Channels
  • Business Logic Testing
    • Business Logic Data Validation
    • Ability to Forge Requests
    • Number of Times a Function Can be Used Limits
    • Circumvention of Work Flows
    • Defenses Against Application Misuse
    • Upload of Unexpected File Types
    • Test Upload of Malicious Files
    • Analysis of Stack Traces