Web application penetration testing

Testing web applications is our specialty. We find security gaps and vulnerabilities in your websites - whether SaaS or online store.

Our website penetration test provides a thorough analysis of your web applications to uncover potential security vulnerabilities. Authentication, authorization, data validation and other critical security areas are tested in detail. The latter is important because nowadays websites and web apps are the interface between the user and the server - the latter is where the interesting and sensitive data is located.

Penetration testing

Pentest against web applications

From an attacker's perspective, web applications are incredibly interesting. Most websites allow a login, which means that there will be user data (PII) in the databases. In the case of online stores or SaaS platforms (see SaaS Penetration Testing), it can also be assumed that users' financial data could be found. It is therefore important for you as the operator of such websites to ensure that your application has no security vulnerabilities. In the worst case, attackers could steal sensitive data!

Information on costs, procedure, duration and types of web penetration tests can be found a little further down on this page - they generally apply to any type of penetration test regardless of the target system. In general, it is always important for us to get to know the web app we are to test. This means, for example, that we must be provided with a complete demo/test system to which we have full access. The client should fill the system with meaningful test data and create at least two users for each user group. We can then determine relatively quickly which user group is allowed to do what and what should not be possible. Two examples: A normal user should not be able to read or change the data of other users. They should also not be allowed to make themselves an administrator.

A website pentest is also primarily a manual test, which we usually carry out using software such as Burp Suite or Caido. We examine every request that a user sends to the server. Automated methods are used very specifically here - if we suspect a path traversal gap, for example, we have this checked automatically.

Damian Strobel

"Websites and web applications are extremely interesting targets for blackhats - as a rule, interesting data can be found there."

Damian Strobel - Founder of DSecured

Let's help you protect your data and your customers by securing your web applications.

Pentest Costs: Duration of the penetration test

Savings potential for web application penetration tests

In the case of penetration tests against web applications, we are relatively flexible in terms of test intensity. The degree of automation and manual testing can be adjusted according to the customer's wishes. The following scenarios are possible:

  • 15% manual/85% automated - favorable, but superficial. The focus is on attack vectors that very often cause problems. We only use automated scans.

  • 50% manual/50% automated - moderate price, good quality. The "most interesting" requests are analyzed manually. All others are checked automatically.

  • 85% manual/15% automated - expensive, but very thorough. Every request is thoroughly analyzed. The focus is on a complete manual pentest.

API penetration test vs web penetration test

An API penetration test is basically a web penetration test that focuses on the interfaces. Modern web applications are often a Javascript frontend (AngularJS, ReactJS, VueJS) that communicates with the backend via an API. The procedure is very similar to a web app pentest. Due to the frequently available API documentation (Swagger, OpenAI, GraphQL), we can test an API relatively quickly but thoroughly.

API penetration test vs web penetration test

Relevance of web frameworks for pentesting

With the rise of so-called web frameworks such as Laravel, Django, Ruby on Rails, Spring Boot (Java) and .NET, a tool has been created that makes it much more difficult for developers to produce serious security vulnerabilities - provided it is used correctly - which is not always the case. Nevertheless, we have noticed that each framework has its "peculiarities", for example, we rarely find XSS or SQL injections in Laravel pentests, but more often problems in the area of mass assignment. Java and ASP frameworks, on the other hand, often have problems with file processing. A pentest is therefore also useful for modern web frameworks.

# Laravel Pentest # WordPress Pentest # Typo3 Pentest # Django Pentest # Drupal Pentest # Spring Boot Pentest # Symfony Pentest # PHP Pentest # Python Pentest # Java Pentest # ASP.Net Pentest # NodeJs Pentest
Relevance of web frameworks for pentesting
Methodology for web application pentesting

Methodology for web application pentesting

The classic when it comes to pentest methodology in connection with web applications is the OWASP Top 10 list. It contains the most common security vulnerabilities found in web applications. The problem is: they are not all of them. An attacker is generally very creative, combining vulnerabilities and turning them into complex attacks. We work in the same way. We don't just mindlessly work through lists - we look for things that could become a problem for you - in isolation or in combination. Nevertheless: OWASP (see Web Security Testing Guide) and BSI (pentest execution) are the absolute standard for us.

Web application pentest: Security vulnerabilities

There are various types of vulnerabilities that can be found in web applications. The examples here are real examples from past penetration tests. Here you can find the most common ones:

Cross Site Scripting (XSS)

An attacker can inject HTML code into the website output. This can be used to exfiltrate data from other users.

SQL Injection

This type of vulnerability allows the contents of the database to be read. Often used for this the SQLMap tool is often used for this. The attacker can thus download the entire user database download the entire user database.

File uploads

Upload functions often allow files to be uploaded that simplify the takeover of the server (shells). It is not so trivial to program upload functions securely.

Server Side Request Forgery

An attacker can make the web server send requests to internal systems. This is particularly interesting if the web app is hosted on AWS, for example (keyword: Metadata API).

Insecure Direct Object Reference

Can an attacker also read or change the user data (or other data) of another user via the user interface?

Output of sensitive data

If you examine requests, you can often see that too much and, above all, sensitive data is being output. This often happens with logged-in administrators.

Every web application has its own issues. Let us help you to protect your data and your customers and improve your cybersecurity.

Some companies we have been able to help

Grab
PayPal
BMW
Goldman Sachs
Starbucks
ATT
TikTok
Hilton
Contact DSecured

Request Web Pentest