Web applications

Web applications serve diverse purposes and present significant attack potential, as they are typically accessible publicly or throughout the entire corporate network. The typical web applications we examine range from corporate websites and web shops to online banking and customer platforms, as well as administrative programs.

Why Penetration Tests for Web Applications

s

Our primary reason for penetration testing web applications is to uncover vulnerabilities through which:

  • Other users can be attacked
  • Sensitive information and corporate data can be extracted
  • Processes within the application can be manipulated
  • Other systems can be attacked that become attractive next targets after a successful attack on the web server

 

When to Conduct Penetration Tests for Web Applications

In our view, the best times are:

  • During development to address design flaws early
  • Ideally before production deployment
  • When components are modified and new features are added
  • Regularly, to test vulnerabilities against new attack methods

 

Results

i

Typical pentest results are:

  • Technical vulnerabilities that, for example, enable unauthorized access to data or allow malicious code to be executed on other users’ devices
  • Weaknesses related to test points from the OWASP Testing Guide
  • Vulnerabilities from the OWASP Top 10
  • Vulnerabilities in business processes, such as bypassing dual control principles, approving one’s own requests, or executing one-time actions multiple times
  • Assessment of the security level of the application and web server

 

What we need from you

For the penetration test of a web application, we need from you:

  • Access to the application, preferably in a test environment with test data
  • User accounts for all roles to be tested
  • If possible: Provision of the application’s source code
  • Whitelisting of our IP address in any protective systems, such as Web Application Firewalls (WAF) and Intrusion Prevention Systems (IPS)
  • Notification of involved parties, such as external hosting providers
  • Please provide us with business worst-case scenarios that we will specifically examine

 

Book a free initial consultation now

Whether it’s a pentest, red teaming, or “something in between”—
we look forward to talking to you!

Contact
Configurator