Protection of web applications

Minimizing the risks & increasing the security of your web application with the help of penetration tests

If web applications are not sufficiently protected, they risk becoming the target of potential hacker attacks. These place not only sensitive customer data in danger, but also internal company networks.

With the help of penetration tests (pentests), we support you in securing your web application in the best possible way against cyberattacks and data theft. Our experts review established security measures, determine specific risks and identify vulnerabilities.

Furthermore, they carry out analyses at the network level (port and vulnerability scans), so that the underlying backend system (web server) is also checked with respect to its security. You then receive the results of our analyses in the form of a detailed report which, among other things, also contains recommendations for action in order to eliminate vulnerabilities.

Web application security: penetration tests against web applications

Request an individual offer

Our services: three levels of the analysis

Web Application Security – Services: Spot Check Level 1

Spot Check

Level 1

Initial assessment of the security level in the context of a sample.

Random sample / First assessment

Web Application Security – Services: Regular Pentest Level 2

Regular Pentest

Level 2

Deep investigation to identify the most common risks and vulnerabilities for web applications.

For most applications

Web Application Security – Services: Advanced Pentest Level 3

Advanced Pentest

Level 3

A more in-depth analysis that – in addition to Level 2 – also identifies hard-to-exploit risks and vulnerabilities, especially through additional test scenarios.

High security level

To the detailed overview

Penetration tests (incl. backend systems, web services & APIs) examine the respective web application for the most critical or most frequently exploited security risks.

The focus here is on the following areas:

Input & Output Validation: If user input data are not sufficiently validated, injection vulnerabilities (e.g., cross-site scripting (XSS), XML external entities (XXE), SQL injection,) can – among other things – result in data loss, data corruption or a system takeover (remote code execution). An attempt is made by means of targeted injection attacks to "smuggle" malicious code into the application.
Authentication / Session Management: Authentication and session management errors may allow attackers to take over the identity of other users, e.g. by means of brute force attacks, weak session IDs or the use of insecure passwords.
Access Control (Authorization) / U Separation: If access rights for authenticated users are not correctly implemented, attackers may be able to access functions or data of other users.
Data Security: It must be ensured that the web application is configured in such a way that forms of access are only possible via the intended, secured/encrypted communication paths. Access to resources and functions that are not required must therefore be restricted (e.g. by means of cookie flags, HTTP security headers).
Safety-related Misconfiguration / Hardening: Through the use of components with known vulnerabilities, standard accounts, unused (example, test) pages or misconfigurations, etc., it may be possible to gain unauthorized access to sensitive information or the underlying system (web server).
Business/Application Logic: In the case of multi-stage mapped business processes, it must be ensured that the implemented application logic cannot be misused (e.g., breakout from a designated registration process).
Disclosure of Security-related Information (Information Gathering/Disclosure): Web pages and responses from web applications and web services may contain security-relevant information (e.g. version details) with the help of which attackers can circumvent security mechanisms and exploit vulnerabilities.
Cryptography / SSL and TLS: Information which is exchanged between the client of the user and the server must be sufficiently encrypted and protected. If there are vulnerabilities in the SSL/TLS configuration, for example, the probability increases that potential attackers can also read transmitted data (confidentiality), manipulate data (integrity) and impersonate a legitimate trusted party or service without authorization (authenticity) – and in this manner successfully carry out man-in-the-middle attacks, for example.
Analyses at the Network Level: The penetration test includes a network-level analysis of the web application’s web server (one IP address). Port scans, a check of the SSL/TLS configuration and vulnerability scans are carried out.
(Optional) Data Protection: Besides technical analyses, the Terms of Use (T&Cs) of a web application can also be reviewed with regard to data protection aspects.

All results of an analysis are made available to the client in the form of a detailed final report.

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:

Introduction: A brief description of the test object and the aim of the pentest.
Management/Executive summary: A summary of the results.
Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
Clear representation: Clear representation of all identified vulnerabilities in a table.
Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
References: If available, we provide references to vulnerability databases (e.g., CVE).
Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.

Procedure of a web application security pentest

Web Application Security Pentest Procedure: Preparation & Kickoff

Clarification of specific technical & organizational aspects, as well as the preconditions.

Web Application Security Pentest Procedure: Information Gathering & Analysis

Determination of fundamental information about the subject of the analysis.

Web Application Security Pentest Procedure: Performance of Penetration Tests

Analysis of the selected web application on the basis of the collected information.

Web Application Security Pentest Procedure: Final Report

Summary of all results of the analysis in the form of a Final Report.

Ablauf Web Application Security Pentest: Re-Test (Optional)

Optional: Re-Test

Check whether the implemented improvement & defense measures are working (effectively).

Frequently asked questions (FAQ):

Which test methods do we offer?

Black box
Pentest without additional information
Gray box (standard)
Pentest with additional information, e.g. test access data and (API) documentation
White box
Pentest with further additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data

On what standards does TÜViT align itself when conducting penetration tests?

The TÜViT experts’ approach is aligned on the OWASP Application Security Verification Standard (ASVS), which describes fundamental security requirements for web applications, as well as the OWASP Web Security Testing Guide (WSTG), which shows how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications as well as the Implementation Concept for Penetration Tests of the BSI are taken into account.

How long does a test take?

The test duration depends on the selected type of analysis (Level 1 to 3) – see above. Notwithstanding the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) or at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) Pentest.

What does a pentest cost?

The costs depend on the type of check selected (levels 1 to 3) as well as the complexity of the subject of the check. A Spot Check is in the lower to mid four-digit range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an exact price indication we need more information about your web application.

Request an individual offer

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We consult and support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

You have questions? We are pleased to help!

Send mail +49 201 8999-614 Contact

Alexander Padberg Global Account Manager Cyber Security

Send mail +49 201 8999-411 Contact

Gerald Krebs Global Account Manager