Dara Security

Web Application Penetration Testing

As applications become more dynamic and user-friendly, the number of vulnerabilities left open by developers increases.  To properly defend your organization from attacks, your web application must be solid.

 

Dara Security has found that more than 90% of attacks have come through the application layer. As a result, some industry regulations have made web application security assessment reviews mandatory. Specifically, the Payment Card Industry's Data Security Standard requires companies to perform application layer penetration testing (Requirement 6.6 [PDF]).  Web Application Penetration Testing fulfills this regulatory requirement by examining all aspects of an application and pinpointing vulnerabilities.

 

Comprehensive Application Testing

Our testing is designed to discover today's most prevalent and exploited web application vulnerabilities, and assist an organization in understanding the associated risks and business impact of the vulnerabilities.  Unless requested otherwise, our web application penetration tests follow the OWASP methodology searching for serious exploits such as SQL Injection, Command Injection and Cross-Site Scripting (XSS). We also address lesser known threats such as Cross-Site Request Forgery, Clickjacking, Encoding Errors and DOM Injection.

 

Manual Testing

In addition to automated tools, our team makes extensive use of manual testing. This type of testing is critical to find business logic flaws which automated tools cannot easily or accurately find.  Manual testing focuses on finding vulnerabilities for the following layers and general security controls:

    Injection Flaws (such as SQLi, Command Injection)


    JavaScript and client-side Attacks (such as XSS, XST, CSRF)


    Authentication and Authorization


    Input Validation


    Account Harvesting


    Cryptography


    Error and Exception Handling


    Information Disclosure


    Cookie Attacks


    Session Hijacking


While "point-and-click" solutions will find obvious application flaws, our testing methodology constantly evolves to ensure the latest threats are identified and reported with a solution to address the vulnerability.

 

Experience

Dara Security's certified GWAPT and CASS team members have been testing clients' web application security for nearly a decade. Offering web application penetration testing is one of our core services. Our experience and expertise has led us to follow a very detailed and structured methodology based on the OWASP Testing Guide for performing web application assessments. Dara Security uses the mindset and methodology of a hacker in an attempt to identify application misconfigurations and exploit vulnerabilities, ensuring a comprehensive approach to web application penetration testing.