As applications become more dynamic and user-friendly, the number of vulnerabilities left open by developers increases. To properly defend your organization from attacks, your web application must be solid.
Dara Security has found that more than 90% of attacks have come through the application layer. As a result, some industry regulations have made web application security assessment reviews mandatory. Specifically, the Payment Card Industry's Data Security Standard requires companies to perform application layer penetration testing (Requirement 6.6 [PDF]). Web Application Penetration Testing fulfills this regulatory requirement by examining all aspects of an application and pinpointing vulnerabilities.
Our testing is designed to discover today's most prevalent and exploited web application vulnerabilities, and assist an organization in understanding the associated risks and business impact of the vulnerabilities. Unless requested otherwise, our web application penetration tests follow the OWASP methodology searching for serious exploits such as SQL Injection, Command Injection and Cross-Site Scripting (XSS). We also address lesser known threats such as Cross-Site Request Forgery, Clickjacking, Encoding Errors and DOM Injection.
In addition to automated tools, our team makes extensive use of manual testing. This type of testing is critical to find business logic flaws which automated tools cannot easily or accurately find. Manual testing focuses on finding vulnerabilities for the following layers and general security controls:
Injection Flaws (such as SQLi, Command Injection)
Authentication and Authorization
Error and Exception Handling
While "point-and-click" solutions will find obvious application flaws, our testing methodology constantly evolves to ensure the latest threats are identified and reported with a solution to address the vulnerability.
Dara Security's certified GWAPT and CASS team members have been testing clients' web application security for nearly a decade. Offering web application penetration testing is one of our core services. Our experience and expertise has led us to follow a very detailed and structured methodology based on the OWASP Testing Guide for performing web application assessments. Dara Security uses the mindset and methodology of a hacker in an attempt to identify application misconfigurations and exploit vulnerabilities, ensuring a comprehensive approach to web application penetration testing.