You are here:
  1. Home
  2. Cyber Security
  3. Services
  4. Penetration Tests
  5. Web application

Web application

Web application and
web service penetration tests

Web application and web service penetration testing refers to the investigation of web-based software systems on the application layer from the perspective of a malicious actor.

The simulation of malicious activities to identify vulnerabilities is carried out via the public Internet or from a company’s internal network and includes …
Web applications
z. e.g. web stores, content management systems (CMS), portals, etc.
Web Services
z. e.g. RESTful APIs, SOAP services, websockets, etc.
Progressive Web Applications
(PWA)

Why penetration testing?

Due to the ongoing digitalization of business processes in particular, more and more business-critical areas are accessible via the public Internet.

Adequate protection against malicious attackers is therefore important in order to avoid possible technical and financial damage (e.g. due to data loss, restriction of availability).

Web application and web service penetration testing can be used to identify vulnerabilities within a web-based application system by simulating malicious activity to determine existing security risks for an application and its users.

By recommending specific measures to eliminate identified vulnerabilities, the software quality in the area of IT security can be increased and sufficient protection against successful attacks can be guaranteed.

In general, security tests can be used to check the following protection goals [1] according to the German Federal Office for Information Security (BSI):
Confidentiality
“Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorized persons in the permitted manner.”
Integrity
“Integrity means ensuring the correctness (integrity) of data and the correct functioning of systems.”
Availability
The availability of services, functions of an IT system, IT applications or IT networks or even information is ensured if these can always be used by users as intended.

Goal

The aim of the test activities generally consists of the following three points:
Identification of existing weak points
and misconfigurations within the application system.
Recommendation of suitable measures
to eliminate vulnerabilities in order to increase software quality in the area of IT security.
Determination of the safety level
at application level at the time of test execution based on the test results.

General test methodology

In addition to the general objectives mentioned above, it is possible to determine the specific test objectives and their prioritization individually in consultation with the client before the test is carried out and to adapt the study accordingly.

The examination of the client-side and server-side components of the application system is based on the procedure of the OWASP Web Security Testing Guide [2]. The specific test activities are adapted according to the agreed customer objective and the technical conditions.

Next Steps

Once the investigation of an application system has been completed, there are various starting points for effectively continuing the previous test activities. A selection of sensible options can be individually compiled in a discussion depending on the customer’s objective, customer requirements and the test result.

Further test activities in the area of web application and web service penetration testing
The existing test activities can be extended to other software systems.

Once the identified weaknesses have been rectified, their effectiveness can be checked by repeating the test.

Developing application systems can be regularly examined for existing weaknesses. The test activities can cover the entire software system or only newly added functionalities.
Test activities at network level
The investigation can be extended from the application layer to the network in order to identify further attack vectors within the corporate network.
Static source code analysis
In addition to examining the application system at runtime, the source code can be analyzed for possible vulnerabilities to ensure maximum test coverage.
Security consulting
General or application-specific topics in the area of IT security, best practices or know-how for raising awareness or for solution approaches can be communicated on the basis of knowledge gained and identified vulnerabilities.
Developer training
If various attack scenarios or recommended measures are unknown from the developer's perspective, targeted training content can be used to impart basic knowledge in the area of secure software development.

Sources

[1] Federal Office for Information Security, IT-Grundschutz-Kompendium (Edition 2023)

[2] The OWASP® Foundation, OWASP Testing Guide v 4.2