Due to their public accessibility and usage of sensitive data (for example, customer data in online shops) web applications are a popular target for attackers. The resulting consequences are loss of data and damage to its image which is noticeable by a loss of confidence. Their complexity and connection to other systems such as databases increases the risk of a successful attack decisively.
The Web applications referred to by the client and the software implemented incl. Patch level, configuration and logic to be subjected to a security testing with the two methods penetration testing and fuzzing to already known and in particular previously unrecognized vulnerabilities (zero-day vulnerabilities) to identify. It targeted attacks from an attacker’s point of view are performed by the BSI Guide to penetration testing and after the OWASP Testing Guide.
Among other things, checks on:
- Information Leakage: Is it possible to get an attacker to sensitive data like system configurations, user data, or even corporate data without prior authorization.
- Authentication Mechanism: Is it possible for an attacker registration surfaces e.g. To work with bypass attacks and to obtain permissions in the Web application.
- Input Validation: Is it possible for an attacker to conduct attacks such as cross-site scripting or SQL injection due to lack of verification of the input data.
To achieve the desired level of security, approach and objectives are agreed upon in advance with the client. inter alia done this the identification of the test steps, the definition of emergency measures and the establishment of safety-critical systems, e.g. are excluded from the study.
Identified vulnerabilities are rated and describes a recommended action. These form the basis for further actions by the client.