Web Application Security: Optimum Protection against Attacks on Web Applications

The focus here is on the following areas:

• Input & Output Validation: If user input data are not sufficiently validated, injection vulnerabilities (e.g., cross-site scripting (XSS), XML external entities (XXE), SQL injection,) can – among other things – result in data loss, data corruption or a system takeover (remote code execution). An attempt is made by means of targeted injection attacks to "smuggle" malicious code into the application.
   
• Authentication / Session Management: Authentication and session management errors may allow attackers to take over the identity of other users, e.g. by means of brute force attacks, weak session IDs or the use of insecure passwords.
   
• Access Control (Authorization) / U Separation: If access rights for authenticated users are not correctly implemented, attackers may be able to access functions or data of other users. 
   
• Data Security: It must be ensured that the web application is configured in such a way that forms of access are only possible via the intended, secured/encrypted communication paths. Access to resources and functions that are not required must therefore be restricted (e.g. by means of cookie flags, HTTP security headers).
   
• Safety-related Misconfiguration / Hardening: Through the use of components with known vulnerabilities, standard accounts, unused (example, test) pages or misconfigurations, etc., it may be possible to gain unauthorized access to sensitive information or the underlying system (web server).
   
• Business/Application Logic: In the case of multi-stage mapped business processes, it must be ensured that the implemented application logic cannot be misused (e.g., breakout from a designated registration process).
   
• Disclosure of Security-related Information (Information Gathering/Disclosure): Web pages and responses from web applications and web services may contain security-relevant information (e.g. version details) with the help of which attackers can circumvent security mechanisms and exploit vulnerabilities.
   
• Cryptography / SSL and TLS: Information which is exchanged between the client of the user and the server must be sufficiently encrypted and protected. If there are vulnerabilities in the SSL/TLS configuration, for example, the probability increases that potential attackers can also read transmitted data (confidentiality), manipulate data (integrity) and impersonate a legitimate trusted party or service without authorization (authenticity) – and in this manner successfully carry out man-in-the-middle attacks, for example.
   
• Analyses at the Network Level: The penetration test includes a network-level analysis of the web application’s web server (one IP address). Port scans, a check of the SSL/TLS configuration and vulnerability scans are carried out.
   
• (Optional) Data Protection: Besides technical analyses, the Terms of Use (T&Cs) of a web application can also be reviewed with regard to data protection aspects.

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:

• Introduction: A brief description of the test object and the aim of the pentest.
   
• Management/Executive summary: A summary of the results.
   
• Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
   
• Clear representation: Clear representation of all identified vulnerabilities in a table.
   
• Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
   
• Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
   
• Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
   
• References: If available, we provide references to vulnerability databases (e.g., CVE).
   
• Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.