Penetration Testing-Web Applications

SKU: PTW810609 Categories: ,

View Price

FacebookTwitterGoogle PlusPinterestTumblrLinkedinEmail


Web Application Security Testing

A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.

Security Testing Scenarios


Test Name

Information Gathering

Conduct Search Engine Discovery and Reconnaissance for Information Leakage

Fingerprint Web Server

Review Webserver Metafiles for Information Leakage

Enumerate Applications on Webserver

Review Webpage Comments and Metadata for Information Leakage

Identify application entry points

Map execution paths through application

Fingerprint Web Application Framework

Fingerprint Web Application

Map Application Architecture

Configuration and Deploy Management Testing

Test Network/Infrastructure Configuration

Test Application Platform Configuration

Test File Extensions Handling for Sensitive Information

Backup and Unreferenced Files for Sensitive Information

Enumerate Infrastructure and Application Admin Interfaces

Test HTTP Methods

Test HTTP Strict Transport Security

Test RIA cross domain policy

Identity Management Testing

Test Role Definitions

Test User Registration Process

Test Account Provisioning Process

Testing for Account Enumeration and Guessable User Account

Testing for Weak or unenforced username policy

Test Permissions of Guest/Training Accounts

Test Account Suspension/Resumption Process

Authentication Testing

Testing for Credentials Transported over an Encrypted Channel

Testing for default credentials

Testing for Weak lock out mechanism

Testing for bypassing authentication schema

Test remember password functionality

Testing for Browser cache weakness

Testing for Weak password policy

Testing for Weak security question/answer

Testing for weak password change or reset functionalities

Testing for Weaker authentication in alternative channel

Authorization Testing

Testing Directory traversal/file include

Testing for bypassing authorization schema

Testing for Privilege Escalation

Testing for Insecure Direct Object References

Session Management Testing

Testing for Bypassing Session Management Schema

Testing for Cookies attributes

Testing for Session Fixation

Testing for Exposed Session Variables

Testing for Cross Site Request Forgery

Testing for logout functionality

Test Session Timeout

Testing for Session puzzling

Data Validation Testing

Testing for Reflected Cross Site Scripting

Testing for Stored Cross Site Scripting

Testing for HTTP Verb Tampering

Testing for HTTP Parameter pollution

Testing for SQL Injection

Testing for XML Injection

Testing for Code Injection

Testing for Local File Inclusion

Testing for Remote File Inclusion

Testing for Command Injection

Testing for Format string

Error Handling

Analysis of Error Codes

Analysis of Stack Traces


Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection

Testing for Sensitive information sent via unencrypted channels

Business Logic Testing

Test Ability to Forge Requests

Test Integrity Checks

Test Upload of Unexpected File Types

Test Upload of Malicious Files

Client Side Testing

Testing for DOM based Cross Site Scripting

Testing for JavaScript Execution

Testing for HTML Injection

Testing for Client Side URL Redirect

Testing for CSS Injection

Testing for Client Side Resource Manipulation

Test Cross Origin Resource Sharing

Testing for Cross Site Flashing

Testing for Clickjacking

Testing WebSockets

Test Web Messaging

Test Local Storage

Assumptions & Dependencies
  • Availability and necessary access to web application environment for entire duration of the engagement.
  • Applications that need to be tested are and remain functionally stable during the course of engagement.
  • Sample test data (including sample user credentials) will be provided by client
  • Support from Client  infrastructure or environment team will be provided during the performance data collection period for capturing the relevant metrics
  • MSPKART intending to execute this testing from remote  location and does not anticipate any need for travel.
  • The required test accounts will be provided for security and penetration testing.
  • The application overview, App server and DB details access should be given to know the configurations of the system

Duration  : 7 Days

Note : Cost is per application/per URL/per IP

Billing: We require 50% advance payment  to start the  service & 50% at the end of the service.
Contact Us at [email protected] for Enterprise Sales.

1 review for Penetration Testing-Web Applications

  1. msdson12

    Job Done with compliance team and report was excellent.

Add a review

Your email address will not be published. Required fields are marked *