Web Application Vulnerability

What is a Web Application Penetration Testing?

Security vulnerabilities in web applications may result in stealing of confidential data, breaking of data integrity or affect web application availability. Thus the task of securing web applications is one of the most urgent for now The most common way of securing web applications is searching and eliminating vulnerabilities therein. Examples of another ways of securing web application include safe development

web application | CRAW Security

According to OWASP [10], the most efficient way of finding security vulnerabilities in web applications is manual code review. This technique is very time-consuming, requires expert skills, and is prone to overlooked errors. Therefore, security society actively develops automated approaches to finding security vulnerabilities. These approaches can be divided into two wide categories: black-box and white-box testing. The first approach is based on web application analysis from the user side, assuming that source code of an application is not available. The idea is to submit various malicious patterns (implementing for example SQL injection or cross-site scripting attacks) into web application forms and to analyze its output thereafter. If any application errors are observed an assumption of possible vulnerability is made. This approach does not guarantee neither accuracy nor completeness of the obtained results..

Penetration Testing Basis on OWASP Top 10:

1.Injection

2. Broken Authentication

3. Cross-Site Scripting

4. XML Exteranal Entity

5. Security Misconfiguration

6. Sensitive Data Exposure

7 Insecure Deserialization

8. CSRF- Cross-Site Request Forgery

9. Using Components With Known Vulnerability

10.Inscure logining and monitoring

penetration testing
craw security

Web Application Penetration testing is a strategy for recognizing, analyzing and Report the vulnerabilities which is existing in the Web application including buffer overflow, input validation, code Execution, Bypass Authentication, SQL Injection, CSRF, Cross site scripting in the objective web Application which is given for Penetration Testing.

Information

1.Retrieve and Analyze the hidden file and directories.

2.Examine the version of the software database Details.

3.Discover Loopholes in DNS such as DNS recurisve, DNS amplification DNS inverse queries, DNS zone Transfers, web based DNS Searches.

4.Perform Directory Listing Searching scanning, URLs,Directories using Fuzzer,Dirbuster.

5.Interspecting the point of application using Burp Proxy, OWSAP ZAP, TemperIE.

6.Doing Fingerprinting of Application Through Fingerprinting Tool such as HTTP Precon, Amap, perform TCP/ICMP and service Fingerprinting.

7.Requesting Common File Extension such as.ASP,EXE, .HTML, .PHP ,Test for recognized file types/Extensions/Directories.

8.Examine the Sources code From the Accessing Pages of the Application front end.

Authentication Testing

1.Check for Session Fixation,session Hijacking, Broken Authencation in the Web application .

2.Check whether any sensitive information Remain Stored stored in browser cache.

3.Using Bypass Authencation Technque for Bypassing Authencation.

4.check if the “Remember my password” Mechanism is implemented by checking the HTML code of the login page.

5.Check if the hardware devices directly communicate and independently with authentication infrastructure using additional communication channel.

6.CAPTCHA for authentication vulnerabilities presented or not.

7.Check whether any weak security questions/Answer are presented.

6.CAPTCHA for authentication vulnerabilities presented or not.

Authorization Testing

1. Test the Role and Privilege Manipulation to Access the Resources.

2.Test For Path Traversal by Performing input Vector Enumeration and analyze the input validation functions presented in the web application.

3.Test for cookie Manipulation and Parameter Tempering using web spider, Editcookie tools.

4.Test for HTTP verb Tempering and check whether gain illegal access to reserved resources.

Configuration Management Testing

1.Check directory and File Enumeration review server and application Documentation.

2.Analyze the Web server banner grabbing and Performing network scanning.

4.check and identify the ports associated with the SSL/TLS services using NMAP and NESSUS.

5.Review OPTIONS HTTP method using Netcat and Telnet.

6. Test for HTTP methods and XST for credentials of legitimate users.

Session Management Testing

1.Check the URL’s in the Restricted area to Test for Cross sight Request Forgery.

Check for Insecure direct object reffrence Loopholes in web application.

2.Test for Exposed Session variables by inspecting Encryption and reuse of session token, Proxies and caching, GET&POST.

3.Collect a sufficient number of cookie samples and analyze the cookie sample algorithm and forge a valid Cookie in order to perform an Attack.

5.Test the session Fixation, to avoid seal user session.(session Hijacking )

Data Validation

1.Performing Sources code Analyze for javascript Coding Errors.

2. Perform Union Query SQL injection testing, standard SQL injection Testing, blind SQL query Testing, using tools such as sqlninja,sqldumper,sql power injector .etc.

3.Analyze the HTML Code, Test for stored XSS, leverage stored XSS, using tools such as XSS proxy, Backframe, Burp Proxy, OWASP, ZAP, XSS Assistant.

4.Perform LDAP injection testing for sensitive information about users and hosts.

5.Perform IMAP/SMTP injection Testing for Access the Backend Mail server.

6.Perform XPATH Injection Testing for Accessing the confidential information

7.Perform XML injection testing to know information about XML Structure.

8.Perform Code injection testing to identify input validation Error.

9.Perform Buffer Overflow testing for Stack and heap memory information and application control flow.

10.Test for HTTP Splitting and smuggling for cookies and HTTP redirect information.

Denial of Service Testing

1.Perform Stress Testing of application.

2.Perform manual source code analysis and submit a range of input varying lengths to the applications

3.Test for SQL wildcard attacks for application information testing.

4.Test for User specifies object allocation whether a maximum number of object that application can handle.

5.Enter Extreme Large number of the input field that used by the application as a Loop counter.

Web Vulnerability Assessment

Clients and Partners