Web Application Security
Penetration tests for web applications and background systems
If web applications and background systems are not adequately protected, they are at risk of becoming targets for potential hacker attacks. These attacks jeopardize sensitive customer data and internal company networks. With the help of customized penetration tests (pentests), we support you in securing your web applications and background systems against cyberattacks and data theft.
Web pentesting (web application penetration testing) is an IT security measure used to check the security of web applications.
The aim is to uncover existing security vulnerabilities and possible points of attack in the web application and to increase the security of the web application in this way. Methods and means are used that real attackers would also use.
Secure web applications are essential for protecting sensitive data and safeguarding business-critical processes. Penetration tests specifically uncover vulnerabilities and thus help to minimise security risks at an early stage.
Access control (authorisation) / client separation: If access rights for authenticated users are not implemented correctly, attackers may be able to access functions or data of other users. This also includes cross-client access.
Input & output validation: If user input data is not sufficiently validated, injection vulnerabilities (e.g. cross-site scripting (XSS), XML External Entities (XXE), SQL injection) can lead to data loss, corruption or system takeover (remote code execution), among other things. Targeted injection attacks attempt to smuggle malicious code into the application.
Security-related misconfiguration / hardening: By using components with known vulnerabilities, standard accounts, unused (sample, test) pages or misconfigurations etc., it may be possible to gain unauthorised access to sensitive information or the underlying system (web server).
Disclosure of security-relevant information (information gathering/disclosure): Websites and responses from web applications and web services can contain security-relevant information (e.g. version details), which attackers can use to bypass security mechanisms and exploit vulnerabilities.
Investigations at network level: The penetration test includes a check at network level of the web application's web server (an IP address). Portscans, a check of the SSL/TLS configuration and vulnerability scans are carried out.
Authentication / session management: Errors in authentication and session management may allow attackers to assume the identity of other users, e.g. by means of brute force attacks, weak session IDs or the use of insecure passwords.
Data security: It must be ensured that the web application is configured in such a way that access is only possible via the intended, secure/encrypted communication paths. Access to resources and functions that are not required must therefore be restricted (e.g. using cookie flags, HTTP security headers).
Business/application logic: In the case of multi-level mapped business processes, care must be taken to ensure that the implemented application logic cannot be misused (e.g. breaking out of an intended registration process).
Cryptography / SSL and TLS: If there are vulnerabilities in the SSL/TLS configuration, the probability increases that potential attackers can read transmitted data (confidentiality), manipulate it (integrity) and impersonate a legitimate trusted party/service without authorisation (authenticity) and thus successfully carry out man-in-the-middle attacks, for example.
Data protection: In addition to technical checks, the web application (incl. background system) can also be checked for data protection aspects, e.g. implementation of privacy by design, fulfilment of data protection principles, etc.
The test report is always prepared by our experts individually and in an easily understandable form (no automatic generation) and contains at least the following information:
The approach of the TÜVIT security experts is based on the OWASP Application Security Verification Standard (ASVS)which describes basic security requirements for web applications and background systems and the OWASP Web Security Testing Guide (WSTG)which describes how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications and the implementation concept for penetration tests from the BSIand finally the OWASP Nest Practices approach
The costs depend on the complexity of the test object. A spot check is in the lower to mid four-figure range. For an exact price indication, we need more information about your web application and your background system.
The duration of the test depends on the type of test selected (Level 1 to 3), see above. Deviating from the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) and at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) pentest.
Good reasons that speak in our favour