Damian Strobel
Founder and CEO
"Websites and web applications are extremely interesting targets for blackhats - as a rule, interesting data can be found there."
Pentesting of web applications
From an attacker's perspective, web applications are incredibly interesting. Most websites allow a login, which means that there will be user data (PII) in the databases. In the case of online stores or SaaS platforms (see SaaS Penetration Testing), it can also be assumed that users' financial data could be found. It is therefore important for you as the operator of such websites to ensure that your application has no security vulnerabilities. In the worst case, attackers could steal sensitive data!
Information on costs, procedure, duration and types of web penetration tests can be found a little further down on this page - they generally apply to any type of penetration test regardless of the target system. In general, it is always important for us to get to know the web app we are to test. This means, for example, that we must be provided with a complete demo/test system to which we have full access. The client should fill the system with meaningful test data and create at least two users for each user group. We can then determine relatively quickly which user group is allowed to do what and what should not be possible. Two examples: A normal user should not be able to read or change the data of other users. They should also not be allowed to make themselves an administrator.
A website pentest is also primarily a manual test, which we usually carry out using software such as Burp Suite or Caido. We examine every request that a user sends to the server. Automated methods are used very specifically here - if we suspect a path traversal gap, for example, we have this checked automatically.
Let's help you protect your data and your customers by securing your web applications.
Why should we carry out the penetration test for your web application?
Experienced team
Benefit from our experienced team of bug bounty hunters and ethical hackers who have already carried out numerous successful web app penetration tests. Complex scopes and secured systems are no problem for us and are rather standard.
Outstanding report
Receive detailed and understandable reports that not only highlight vulnerabilities, but also offer concrete and actionable recommendations. Our risk assessment is realistically tailored to your case.
Maximum creativity
Our innovative team uses creative and unconventional approaches to identify even the most hidden security vulnerabilities. We combine small flaws into critical vulnerabilities that no one expected.
Effective risk management
Protect your business with targeted testing that minimizes potential security risks and secures your IT infrastructure. Black hats and cyber criminals are usually not long in coming and will exploit any weakness.
Communication tailored to your needs
We tailor our communication to your needs, be it through regular updates, detailed discussions or clear explanations. It doesn't matter whether it's via WhatsApp, Signal or Slack. You decide!
Long-term partnership
Rely on a long-term collaboration that offers not just one-off tests, but continuous security optimizations and support. We can take any perspective and are your partner when it comes to security.
Savings potential for web application penetration tests
In the case of penetration tests against web applications, we are relatively flexible in terms of test intensity. The degree of automation and manual testing can be adjusted according to the customer's wishes. The following scenarios are possible:
-
15% manual/85% automated - favorable, but superficial. The focus is on attack vectors that very often cause problems. We only use automated scans.
-
50% manual/50% automated - moderate price, good quality. The "most interesting" requests are analyzed manually. All others are checked automatically.
-
85% manual/15% automated - expensive, but very thorough. Every request is thoroughly analyzed. The focus is on a complete manual pentest.
API penetration test vs web penetration test
An API penetration test is basically a web penetration test that focuses on the interfaces. Modern web applications are often a Javascript frontend (AngularJS, ReactJS, VueJS) that communicates with the backend via an API. The procedure is very similar to a web app pentest. Due to the frequently available API documentation (Swagger, OpenAI, GraphQL), we can test an API relatively quickly but thoroughly.
Relevance of web frameworks for pentesting
With the rise of so-called web frameworks such as Laravel, Django, Ruby on Rails, Spring Boot (Java) and .NET, a tool has been created that makes it much more difficult for developers to produce serious security vulnerabilities - provided it is used correctly - which is not always the case. Nevertheless, we have noticed that each framework has its "peculiarities", for example, we rarely find XSS or SQL injections in Laravel pentests, but more often problems in the area of mass assignment. Java and ASP frameworks, on the other hand, often have problems with file processing. A pentest is therefore also useful for modern web frameworks.
# Laravel Pentest # WordPress Pentest # Typo3 Pentest # Django Pentest # Drupal Pentest # Spring Boot Pentest # Symfony Pentest # PHP Pentest # Python Pentest # Java Pentest # asp-net Pentest # NodeJs PentestMethodology for web application pentesting
The classic when it comes to pentest methodology in connection with web applications is the OWASP Top 10 list. It contains the most common security vulnerabilities found in web applications. The problem is: they are not all of them. An attacker is generally very creative, combining vulnerabilities and turning them into complex attacks. We work in the same way. We don't just mindlessly work through lists - we look for things that could become a problem for you - in isolation or in combination. Nevertheless: OWASP (see Web Security Testing Guide) and BSI (pentest execution) are the absolute standard for us.
Web application pentest: Security vulnerabilities
There are various types of vulnerabilities that can be found in web applications. The examples here are real examples from past penetration tests. Here you can find the most common ones:
Cross Site Scripting (XSS)
An attacker can inject HTML code into the website output. This can be used to exfiltrate data from other users.
SQL Injection
This type of vulnerability allows the contents of the database to be read. Often used for this the SQLMap tool is often used for this. The attacker can thus download the entire user database download the entire user database.
File uploads
Upload functions often allow files to be uploaded that simplify the takeover of the server (shells). It is not so trivial to program upload functions securely.
Server Side Request Forgery
An attacker can make the web server send requests to internal systems. This is particularly interesting if the web app is hosted on AWS, for example (keyword: Metadata API).
Insecure Direct Object Reference
Can an attacker also read or change the user data (or other data) of another user via the user interface?
Output of sensitive data
If you examine requests, you can often see that too much and, above all, sensitive data is being output. This often happens with logged-in administrators.
Every web application has its own issues. Let us help you to protect your data and your customers and improve your cybersecurity.
Some companies we have been able to help
Further questions and answers on the topic
"Web application penetration testing"
What can I expect from your Web application penetration testing?
You can expect a thorough exploration of your web application's security landscape. Our team manually simulates cyber-attacks to unearth any possible vulnerabilities. The outcome? An in-depth, clear report pinpointing risks & offering actionable recommendations.
How long does Web application penetration testing typically take with DSecured?
The timeframe can vary, depending on the application's complexity & scope. Typically, an intensive test spans a few weeks, allowing our specialists to meticulously analyze & exploit potential security flaws, ensuring a profound assessment.
Who performs the Web application penetration testing at DSecured?
Our team is filled with certified and highly skilled penetration testers, who’ve also contributed to bug bounty programs for major companies. Their expertise ensures your web application is tested rigorously and expertly.
What kind of security flaws can your team identify in web app security audits?
During a web application penetration test, we very frequently identify SQL injections, XSS, cross-site scripting, cross-site request forgery and security flaws in authentication and session management. RCE and code injections as well as configuration errors are also common findings.
How do I know if my Web app needs a security audit from DSecured?
If your application handles sensitive data, complies with regulatory requirements, or if you've never had a security audit, it’s likely time. An audit can fortify your defense systems before a real threat targets your web app.
Can a single pentest reveal all of an application's problems?
A good penetration test should uncover all critical security vulnerabilities. However, IT is much more complex and there is no guarantee that a single test will identify all vulnerabilities. IT security is ALWAYS a process and not a one-off project. And this process tries to minimize the probability of being hacked as much as possible.
Request Web Pentest