Web Application Penetration Testing

Untested applications remain the most common point of attack on an organisation.

Web application vulnerabilities have resulted in the theft of millions of credit cards,
and compromised critical information for organisations and end users.

What is a web application Penetration Test?

A Web Application Penetration test is an authorised hacking attempt on open source and custom web applications. The aim of this test is to identify and exploit vulnerabilities relating to: authorisation, security configuration and data protection mechanisms.

Shearwater’s Web Application Penetration Testing Methodology

Reconnaissance and Analysis

This stage consists of two steps:

1- Mapping the application:

At this stage we map a web application – using manual and automated means – to ensure that all pages in scope are identified for closer analysis. We then identify content that should not be available to users, such as, default install pages.

We also subject the application to abnormal HTTP requests to determine the various responses provided by the site and server, including examining responses for debug behaviour.

2- Analysis of the results:

We examine the results to determine application functionality, potential entry points, and technology used.

Testing and Exploitation

Using the information identified in the initial phase, we test the application for potential vulnerabilities. We then attempt to exploit found vulnerabilities and take maximum advantage of the application. This will provide your organisation with the ability to produce an accurate threat and risk assessment.

Areas tested typically include:

Client Side Controls – Authentication Issues – Session Management – Access Controls, Fuzzing – Server and Hosting Issues – Logic Flaws.

Each of the above areas could indicate an avenue for exploitation.

Post Exploitation

On successful completion of the testing and exploitation phase, any changes to the application will be restored to the state prior to the commencement of the penetration test. This will provide a known security baseline for your organisation.

Our methodologies are planned and scheduled to be non-disruptive, and we work around ensuring uptime throughout our testing.

Reporting

After completion of the testing phase, Shearwater will issue a thorough report which lists the vulnerabilities and exploits categorised according to risk level. Alongside this will be recommendations for mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.

SEH can also conduct debriefing sessions targeting two separate audiences: a technical debriefing aimed at system administrators and engineers, and an executive debriefing tailored for the technology management group.

The management session provides the information needed to determine the appropriate risk management strategy. The technical briefing is intended for knowledge transfer – of the lessons learned during the penetration test – to developers.

Shearwater: The Gold Standard in Penetration Testing

Here is how we raise the bar:

Penetration_Testing_Comprehensive_Reporting

Comprehensive Reporting
Shearwater offers in-depth executive level reporting which serves as a risk minimisation tool for management, and a technical document – listing vulnerabilities prioritised according to risk level – for the internal security team. The report also provides access to mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.

Penetration_Testing_Post_Engagement_Followup

Post Engagement Follow Up
Our post engagement follow-up is an additional benefit that allows clients to engage us with questions, or seek guidance on issues referred to in our report.

Testing Standards
The Open Web Application Security Project (OWASP)
The National Institute of Standards and Technology (NIST)
Source Security Testing Methodology Manual (OSSTMM)
Penetration Testing and Execution Standard (PTES)
Penetration Testing Framework
Australian Government Security Policies and Guidelines

Customer Centricity
We listen to our clients to understand their goals. Our team also alerts security staff – in real time – to critical vulnerabilities and threats discovered.

Our Certifications

Request a FREE Consultation

Call us on 1300 228 872 or submit the form below

Web Application Penetration Testing

Untested applications remain the most common point of attack on an organisation.

Web application vulnerabilities have resulted in the theft of millions of credit cards,
and compromised critical information for organisations and end users.

What is a web application Penetration Test?

Shearwater’s Web Application Penetration Testing Methodology

Shearwater: The Gold Standard in Penetration Testing

Here is how we raise the bar:

Our Certifications

Compliance

Penetration Testing

Managed Services

Phishing Prevention

Company

Subscribe to Our Security Updates

Search for products or services

Web Application Penetration Testing

Untested applications remain the most common point of attack on an organisation.

Web application vulnerabilities have resulted in the theft of millions of credit cards, and compromised critical information for organisations and end users.

What is a web application Penetration Test?

Shearwater’s Web Application Penetration Testing Methodology

Shearwater: The Gold Standard in Penetration Testing

Here is how we raise the bar:

Our Certifications

Compliance

Penetration Testing

Managed Services

Phishing Prevention

Company

Subscribe to Our Security Updates

Search for products or services

Web application vulnerabilities have resulted in the theft of millions of credit cards,
and compromised critical information for organisations and end users.