MENU

Web Application Security: Optimum Protection against Attacks on Web Applications

Minimizing the risks & increasing the security of your web application with the help of penetration tests

If web applications are not sufficiently protected, they risk becoming the target of potential hacker attacks. These place not only sensitive customer data in danger, but also internal company networks.

With the help of penetration tests (pentests), we support you in securing your web application in the best possible way against cyberattacks and data theft. Our experts review established security measures, determine specific risks and identify vulnerabilities.

Furthermore, they carry out analyses at the network level (port and vulnerability scans), so that the underlying backend system (web server) is also checked with respect to its security. You then receive the results of our analyses in the form of a detailed report which, among other things, also contains recommendations for action in order to eliminate vulnerabilities.

Web application security: penetration tests against web applications Web application security: penetration tests against web applications Web application security: penetration tests against web applications Web application security: penetration tests against web applications

Our services: three levels of the analysis

Web Application Security – Services: Spot Check Level 1 Web Application Security – Services: Spot Check Level 1 Web Application Security – Services: Spot Check Level 1 Web Application Security – Services: Spot Check Level 1

Spot Check

Level 1

Initial assessment of the security level in the context of a sample.



Random sample / First assessment

Web Application Security – Services: Regular Pentest Level 2 Web Application Security – Services: Regular Pentest Level 2 Web Application Security – Services: Regular Pentest Level 2 Web Application Security – Services: Regular Pentest Level 2

Regular Pentest

Level 2

Deep investigation to identify the most common risks and vulnerabilities for web applications.



For most applications

Web Application Security – Services: Advanced Pentest Level 3 Web Application Security – Services: Advanced Pentest Level 3 Web Application Security – Services: Advanced Pentest Level 3 Web Application Security – Services: Advanced Pentest Level 3

Advanced Pentest

Level 3

A more in-depth analysis that – in addition to Level 2 – also identifies hard-to-exploit risks and vulnerabilities, especially through additional test scenarios.

High security level

Your benefits at a glance

  • Testing of your web application according to recognized standards
  • Analyses at the network level (port and vulnerability scans)
  • Identification of vulnerabilities / reduction of IT risks
  • Continuous improvement of the IT security of your web application
  • Objective proof of the IT security of your product
Web Application Security: Test Areas

Content of the pentest

Penetration tests (incl. backend systems, web services & APIs) examine the respective web application for the most critical or most frequently exploited security risks.

The focus here is on the following areas:

  • Input & Output Validation: If user input data are not sufficiently validated, injection vulnerabilities (e.g., cross-site scripting (XSS), XML external entities (XXE), SQL injection,) can – among other things – result in data loss, data corruption or a system takeover (remote code execution). An attempt is made by means of targeted injection attacks to "smuggle" malicious code into the application.
     
  • Authentication / Session Management: Authentication and session management errors may allow attackers to take over the identity of other users, e.g. by means of brute force attacks, weak session IDs or the use of insecure passwords.
     
  • Access Control (Authorization) / U Separation: If access rights for authenticated users are not correctly implemented, attackers may be able to access functions or data of other users. 
     
  • Data Security: It must be ensured that the web application is configured in such a way that forms of access are only possible via the intended, secured/encrypted communication paths. Access to resources and functions that are not required must therefore be restricted (e.g. by means of cookie flags, HTTP security headers).
     
  • Safety-related Misconfiguration / Hardening: Through the use of components with known vulnerabilities, standard accounts, unused (example, test) pages or misconfigurations, etc., it may be possible to gain unauthorized access to sensitive information or the underlying system (web server).
     
  • Business/Application Logic: In the case of multi-stage mapped business processes, it must be ensured that the implemented application logic cannot be misused (e.g., breakout from a designated registration process).
     
  • Disclosure of Security-related Information (Information Gathering/Disclosure): Web pages and responses from web applications and web services may contain security-relevant information (e.g. version details) with the help of which attackers can circumvent security mechanisms and exploit vulnerabilities.
     
  • Cryptography / SSL and TLS: Information which is exchanged between the client of the user and the server must be sufficiently encrypted and protected. If there are vulnerabilities in the SSL/TLS configuration, for example, the probability increases that potential attackers can also read transmitted data (confidentiality), manipulate data (integrity) and impersonate a legitimate trusted party or service without authorization (authenticity) – and in this manner successfully carry out man-in-the-middle attacks, for example.
     
  • Analyses at the Network Level: The penetration test includes a network-level analysis of the web application’s web server (one IP address). Port scans, a check of the SSL/TLS configuration and vulnerability scans are carried out.
     
  • (Optional) Data Protection: Besides technical analyses, the Terms of Use (T&Cs) of a web application can also be reviewed with regard to data protection aspects.
Web Application Security: Final Report

What the final report contains

All results of an analysis are made available to the client in the form of a detailed final report.

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:

  • Introduction: A brief description of the test object and the aim of the pentest.
     
  • Management/Executive summary: A summary of the results.
     
  • Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
     
  • Clear representation: Clear representation of all identified vulnerabilities in a table.
     
  • Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
     
  • Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
     
  • Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
     
  • References: If available, we provide references to vulnerability databases (e.g., CVE).
     
  • Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.

Procedure of a web application security pentest

  

Web Application Security Pentest Procedure: Preparation & Kickoff Web Application Security Pentest Procedure: Preparation & Kickoff Web Application Security Pentest Procedure: Preparation & Kickoff Web Application Security Pentest Procedure: Preparation & Kickoff

Clarification of specific technical & organizational aspects, as well as the preconditions.

Web Application Security Pentest Procedure: Information Gathering & Analysis Web Application Security Pentest Procedure: Information Gathering & Analysis Web Application Security Pentest Procedure: Information Gathering & Analysis Web Application Security Pentest Procedure: Information Gathering & Analysis

Determination of fundamental information about the subject of the analysis.

Web Application Security Pentest Procedure: Performance of Penetration Tests Web Application Security Pentest Procedure: Performance of Penetration Tests Web Application Security Pentest Procedure: Performance of Penetration Tests Web Application Security Pentest Procedure: Performance of Penetration Tests

Analysis of the selected web application on the basis of the collected information.

Web Application Security Pentest Procedure: Final Report Web Application Security Pentest Procedure: Final Report Web Application Security Pentest Procedure: Final Report Web Application Security Pentest Procedure: Final Report

Summary of all results of the analysis in the form of a Final Report.


Ablauf Web Application Security Pentest: Re-Test (Optional) Ablauf Web Application Security Pentest: Re-Test (Optional) Ablauf Web Application Security Pentest: Re-Test (Optional) Ablauf Web Application Security Pentest: Re-Test (Optional)

Optional: Re-Test

Check whether the implemented improvement & defense measures are working (effectively). 

  


Frequently asked questions (FAQ):

Which test methods do we offer?

  • Black box
    Pentest without additional information
     
  • Gray box (standard)
    Pentest with additional information, e.g. test access data and (API) documentation
     
  • White box
    Pentest with further additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data

On what standards does TÜViT align itself when conducting penetration tests?

The TÜViT experts’ approach is aligned on the OWASP Application Security Verification Standard (ASVS), which describes fundamental security requirements for web applications, as well as the OWASP Web Security Testing Guide (WSTG), which shows how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications as well as the Implementation Concept for Penetration Tests of the BSI are taken into account.

How long does a test take?

The test duration depends on the selected type of analysis (Level 1 to 3) – see above. Notwithstanding the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) or at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) Pentest.

What does a pentest cost?

The costs depend on the type of analysis selected (Levels 1 to 3), resulting in the following prices: Spot Check starting at €3,900; Regular Pentest starting at €7,900; Advanced Pentest starting at €14,900.

Why we are a strong partner for you

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We consult and support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!

  

Gerald Krebs

Global Account Manager

+49 201 8999-411
Fax : +49 201 8999-666

g.krebs@tuvit.de

Alexander Padberg

Sales Manager

+49 201 8999-614
Fax : +49 201 8999-666

a.padberg@tuvit.de

Further services

Penetration Tests

As an IT security service provider for penetrationtesting we help to identify organizational and technical security vulnerabilities.
Read more
System and Network Security

System and Network Security

The commonest targets of hacker attacks are the IT systems and data networks of companies. In order to detect attacks as early as possible, TÜViT offers penetration tests on system and network levels.
Read more
Web Application Security

Web Application Security

In order to enable you to secure the applications that drive your business, TÜViT offers penetration tests for web applications tailored to your needs.
Read more
Advanced Persistent Threats

Advanced Persistent Threats

Advanced Persistent Threats (APTs) are highly developed and targeted attacks that operate covertly in order to leave no visible traces. TÜViT offers various modules to prevent Advanced Persistent Threats.
Read more
Enhanced Security Services

Enhanced Security Services

TÜViT offers Enhanced Security Services, to keep your IT security level high at all times: from monitoring and retesting up to Red-Teaming.
Read more

Mobile Security

TÜViT mobile-specific testing approach offers optimal protection for your mobile data. From the analysis of mobile strategy and evaluation of IT infrastructure including mobile device management systems, through to application testing.
Read more
Industrial Security

Industrial Security

In the context of the Internet of Things (IoT), the networking of systems for process control, production and automation is increasing dramatically. As a result, challenges are also increasing in relation to security. TÜViT offers security checks and penetration tests in order to reduce security vulnerabilities in your production infrastructure.
Read more
SQ Best Practice Certification Procedure

SQ Best Practice Certification Procedure

With its Security Qualification (SQ), TÜViT offers a standardized and flexible certification procedure that allows the integrated analysis of products and networked system solutions.
Read more

CyberSecurity Certified (CSC)

Are you a manufacturer of a CIoT product and want the security of your (smart home) device confirmed by an independent third party? Then we will be happy to accompany you on your way to a successful CSC certificate.
Read more