Reaction Information Security

Web Application Penetration Testing

Experts in web and mobile application security testing.


Web Application Security Testing and Penetration Testing

Security holes in web applications and websites can allow an attacker to gain full control of the web server and penetrate deeper into the network. E-commerce websites, Sharepoint portals, intranets, extranets, corporate web content, business to business websites and web services gateways are frequently targeted by malicious online groups. Web application penetration testing provides a detailed analysis of a web application's security posture and helps to defend against cyber attacks and the OWASP (Open Web Application Security Project) top ten vulnerabilities.

Web Application Testing Process

Our web application penetration testing process targets specific classes of vulnerabilities which could be exploited to gain unauthorised access to your web applications or web servers. We identify common security weaknesses in web applications including SQL injection, Cross-Site Scripting, Cross-Site Redirection, Cross-Site Request Forgery, directory traversal, authorisation bypass, session hijacking, session fixation, clickjacking, privilege elevation, file upload abuses, leaked data in web content, SSL encryption weaknesses and code injection attacks.

Penetration testing of web applications allows the client to address and mitigate the identified risks before malicious groups have a chance to exploit them. Our testing methodology is aligned with the OWASP guidelines and covers the following areas of web application security:

  • Information Gathering
  • Configuration Management Testing
  • Business Logic Testing
  • Authentication Testing
  • Authorisation Testing
  • Session Management Testing
  • Input Validation Testing

We break our testing process down further into authenticated and unauthenticated security testing. These phases are designed to cover the scenarios of a random hacker on the Internet and an authorised (but potentially malicious) web application user, respectively. Unauthenticated testing ensures that cyber attacks with no knowledge of the website/web application/web service cannot gain unauthorised access or compromise the confidentiality, integrity or availability of the system. Authorised user testing ensures that registered users of the web application cannot view or modify other user's data, elevate his/her user privileges to admin level or compromise the system in any way.

Case Study - Sony Playstation Web Application Breach

In April 2011, an attack on the Sony Playstation Network yielded 77 million registered accounts including users' names, addresses, birthdates, email addresses, passwords and security questions/answers. In a debrief meeting, Sony officials cited SQL injection (a common web application security flaw) as the method of data compromise. Sony estimated direct costs of the breach to be $171 million (or 14 billion yen).

ReactionIS have had many experiences of rectifying breached websites and are ideally placed to help protect your web infrastructure. We have seen attackers ciphen off credit card details and place malware on sites for unsuspecting users to download and install in drive-by download attacks. Attackers have also use compromised websites to insert links to their websites to boost search engine rankings and web traffic. Website defacement is also very common in government or politically sensitive orgnisations where the attackers are aiming to make a political statement, commonly termed hacktivism.

For more details on how we can help you, please get in touch.

Get a Quote Online

Submit your testing requirements online and one of the team will get right back to you.

Penetration Testing Services

Firewall reviews, database audits, code reviews, social engineering and more..

Application Security

Ensure your web and mobile apps are safe from attack.

Read more