Web Application Assessments

This assessment is specific to web applications and will thoroughly test a web application inside and out following OWASP1 guidelines and best practices. While very similar to a traditional penetration test, the web application variant focuses specifically on vulnerabilities and risk as it relates to a single web application and its relationship to the greater network, the business, and its purpose. This assessment uses mostly manual attack techniques supplemented by automated vulnerability scanning and expert analysis.

Many vulnerabilities and risks are assessed, including but not limited to:

  • SQL/OS/LDAP/etc Injection
  • XSS (Cross Site Scripting)
  • XXE (XML External Entities)
  • Deserialization Attacks
  • Broken access controls and/or authentication
  • Sensitive data exposure
  • Security misconfigurations

What are some use cases of this service?

If you’re wanting a broad look at many web applications at once, our Vulnerability Scanning service can support credentialed web application scanning and our Penetration Tests also assess websites for vulnerabilities to a lesser degree. With these other options, it might not be immediately clear what purpose this assessment type serves.

  • Role-based Credentials
    • Admin functions usable by low privilege users or accounts accessing each other’s data, as examples.
  • Multi-Tenant Applications
    • For instance, unintentional cross-tenant data access issues or tenant admin to super admin escalations.
  • Application Programming Interface (API) Testing
    • Testing a specific API for vulnerabilities is often beyond the scope of vulnerability assessments and pentests.

Get a quote!

  1. The Open Worldwide Application Security Project is a non-profit foundation that works to improve the security of software. ↩︎