Web application penetration testing also known as website penetration testing is a point-in-time security assessment of a web application and web server. The web application penetration test is a consultant lead manual security assessment, helping identify security issues with all core web application functionality.
A web application penetration test simulates a real-world attack, identifying security issues within your organisations web applications, website and web services such as REST and SOAP API’s. Identified security issues are documented in a severity ordered report with clear recommendation instructions, allowing your organisation to fix and secure identified security issues. Fixing the identified security proactively will help prevent your web applications becoming compromised, potentially breaching sensitive and personal information which could lead to brand damage.
Table of Contents
Web app security testing provides clear remediation instructions for discovered security issues, allowing your team to fix any issues discovered during the web app penetration test.
Our web application security assessments are carried out by experienced, certified security consultants. Web application testing will help your organisation:
The following issues are assessed during website penetration testing:
We providing a clear easy to understand report with recommendations and fix instructions, allowing your team to resolve discovered security issues.
Performing web security testing will enable your organisation to identify and fix potential vulnerabilities and security issues within your web applications or web servers.
Web application pen testing combines both automated vulnerability scans and advanced manual web application security to ensure all areas of your web applications are assessed. Our assessment use industry-approved methodologies, and our web application penetrations testers are both CREST & OSCP certified so you can be sure our web application security assessments exceed the industry standards. Our assessments do not contain limitations, our consultants use a risk based assessment model, meaning we focus our time on the higher risk issues that have the potential to become business critical first.
Web applications are inherently insecure, while the industry has made significant improvements in recent years with the adoption of open source frameworks mistakes are still common and a number backends are now often insecurely exposed, a reflection of this is insecure API access being recently added to the OWASP 2017 top 10. Web application penetration testing will assess all areas of the OWASP top 10 and test your host or cloud providers security control to help ensure your applications are secure and not vulnerable to attack.
Modern web applications typically use frameworks with API backends and are essentially front ends for users that send requests to a backend SOAP or REST API also known as a RESTful web service. Incorrectly secured API’s are easy to exploit and endpoints that do not have the correct controls in place to rate limit malicious users are particularly susceptible to automated attacks.
Aptive provide website penetration testing, which we treat as the same service as a web app security assessment. Website pen testing uses an OWASP based methodology where all areas of the OWASP top 10 are assessed, our webite security testing also covers additional security testing in the OWASP testing framework and our own internal methodology.
Our internal web app penetration testing methodology is based on the OWASP testing framework (Open Web Application Security Project), our web app security testing services cover all areas of the OWASP top 10 using manual and semi-manual testing methods.
Aptive provide a clear easy to understand report that provide an executive summary narrative, a technical summary, graphs that clearly display the discovered vulnerabilities and the assigned severity. Each web app security issue has a CVSSv3.0 assigned score, business impact, summary, technical description, evidence and our recommendation for remediation or mitigation.
In addition to the report we provide a remediation plan spreadsheet for your team to work through during the remediation phase of the assessment. During the remediation phase of the assessment we are available for any questions or clarification that you may require, by email or phone.
After the remediation work has been completed by your team, we provide free retesting for all discovered web app security issues.
If any high or critical severity issues are discovered during the web application security assessment, we will notify you immediately.
|Web Application||£2,000||Price for a manual web application penetration test for a single web application consisting of less than 100 static/dynamic pages, 3 levels of authentication. The web app security test includes file upload testing and all areas of the OWASP testing methodology.|
|Web Application 2||£3,000||Price for a manual web application penetration test for a single web application consisting of less than 200 static/dynamic pages, 5 levels of authentication. The web app security test includes file upload testing and all areas of the OWASP testing methodology.|
The OWASP top 10 are listed below:
In short the OWASP top 10 represents the top 10 most critical web application security issues and vulnerabilities.
Working with you to identify all systems / applications that need testing.
Web App Penetration Testing
Hands on penetration testing is completed by our CREST accredited team, this process uses a large range of attack methodologies.
Delivering a clear easy to understand severity ordered report, detailing identified issues and associated remediation steps.
Further explanation and demonstrations of vulnerabilities / exploits.
Free re-testing is included with all our services, helping your business reduce security risks.
Execute a real-world attack and understand the level of risk that exists at a single moment in time.
Complement your automated scanning to better identify and validate all security vulnerabilities.
Provide management with an understanding of the level of risk introduced by the web application.
Plan a cost-effective and targeted mitigation approach from idenitified security issues.
Various standards such as ISO27001 and PCI DSS require a penetration test.
Create a foundation for future decisions regarding information security strategy and resource allocation.