Web Application Assessment

Web applications are a primary target for hackers.  Applications have become major targets for a simple reason: they transact and access large amounts of personal and corporate data that hackers hope to monetize on black markets. 

Our Web Application Assessment Service analyzes the critical components of a Web-based portal, e-commerce application, or Web platform. Using manual techniques, proprietary and commercial tools, and custom programs created uniquely for each application we pinpoint specific vulnerabilities and identify underlying problems. Our assessments integrate detailed vulnerability and countermeasure information for authentication, authorization, session management, integrity of data, confidentiality of data, and privacy concerns.    

Our techniques encompass and expand the OWASP’s Top Vulnerabilities in Web Applications including, but not limited to:

  •  Search for misused hidden tags within forms and exploit them to subvert application controls, such as modifying a price value in order to purchase a product for less, or changing a session identifier to retrieve another user’s profile information.
  •  Identify insecure session management schemes and attempt to subvert them.
  •  Enumerate URLs and query strings parameters, then identify parameters that may contain vulnerabilities for input validation and session breaking.
  •  Search for unnecessary comments and information in HTML source and include files that reveal detailed information about the application.
  •  Search for external links that represent a vector of attack to or from another application.
  •  Evaluate the use of scripting languages (JavaScript, VBScript, and Jscript), which can provide alternate methods of attack.
  •  Attempt to inject SQL statements to perform fraudulent requests, view application data, or bypass user authentication.
  •  Attempt to execute SQL commands to enumerate database information, view host data, or execute arbitrary commands on the database host.
  •  Inject client-side code (JavaScript and VBScript) to steal cookies or execute commands.
  •  Attempt to bypass browser security policies and exploit browser vulnerabilities.
  •  Attempt to create an attack based on social engineering.
  •  Analyze randomly generated values for time-based dependencies.
  •  Analyze obfuscated tokens to determine if they have been encoded or encrypted.
  •  Analyze tokens for deterministic information such as date stamps, host information, or counters that can be exploited for session impersonation attacks.