Application Testing

Application Testing

During ProCheckUp’s 21 years of experience in auditing web applications, web application functionality and complexity has increased, as well as the range of platforms supported. To meet these demands, ProCheckUp offers a wide range of web application auditing services, from standard web browser applications to mobile applications, thick client applications and web services API. All application auditing is conducted manually by our highly-qualified penetration testing experts, with the aid of tools. We believe that tools should never be solely relied upon to find issues – as many issues would be missed.

Regardless of the application being tested, ProCheckUp believe that one of the most important, and often overlooked phases, is to fully analyse and understand the application before jumping in and looking for the OWASP top 10. Each application is unique, and should be treated as such. During this initial phase, our experts will start to formulate an attack plan by identifying the areas which require the most focus, whilst still ensuring maximum coverage and identifying the areas that would most likely be targeted by an attacker. ProCheckUp will identify the most serious threats to the company in the context of each application. In addition, ProCheckUp will engage with the client during scoping to determine if the client has any key areas of concern.
Web browser application testing

Web application testing can be conducted remotely (Internet-based) or internally (client site). Whilst each engagement is tailored to the particular technologies and functions used by the application, at a minimum for each assessment consultants evaluate security across the following key areas (each of which incorporate, but are not limited to, OWASP guidelines):

  • Reconnaissance and Application Content Discovery
  • Authentication and Session Management
  • Transport Encryption and Data Storage
  • Authorisation
  • Input Validation and Sanitisation
  • Application Context, Logic and Workflow Weaknesses
  • Information Leakage
  • Known Vulnerabilities with Incorporated Software
  • Supporting Infrastructure Configuration

At the end of every engagement the client is provisioned a final deliverable of a full technical report which will include full details of all potential vulnerabilities identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-impact security issues identified.
Mobile application testing

The aim of this service is to determine whether any security weaknesses, whether through vulnerabilities, configuration weaknesses or lack of compliancy to security best practices, are applicable to a mobile application. At variance to Web application testing (which is typically thin client/browser-based) mobile application testing focuses on compiled applications where heavier amounts of processing and functionality is dependent on the application itself. Whilst each engagement is tailored to the particular technologies and functions used by the application, at a minimum for each assessment, consultants evaluate security across the following key areas:

  • Local Data storage
  • Reverse Engineering
  • Session Management
  • Data in Transit
  • Running Processes
  • Application Filesystem
  • Input Validation
  • Known Vulnerabilities.

At the end of every engagement the client is provisioned a final deliverable of a full technical report which will include full details of all potential vulnerabilities identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-impact security issues identified.

Thick client testing

The aim of this service is to determine whether any security weaknesses, whether through vulnerabilities, configuration weaknesses or lack of compliancy to security best practices, are applicable to a thick client (compiled) application. At variance to Web application testing (which is typically thin client/browser-based) thick client testing focuses on compiled applications where heavier amounts of processing and functionality is dependent on the application itself. Whilst each engagement is tailored to the particular technologies and functions used by the application, at a minimum for each assessment consultants evaluate security across the following key areas:

  • Local Data storage
  • Reverse Engineering
  • Session Management
  • Data in Transit
  • Running Processes
  • Application Filesystem
  • Input Validation
  • Known Vulnerabilities

At the end of every engagement the client is provisioned a final deliverable of a full technical report which will include full details of all potential vulnerabilities identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-impact security issues identified.

Web service API testing.

Web Service (API) testing is manually intensive, unlike web application testing there are limits to the number of programs and variables which can tested in one day.

In order for ProCheckUp to produce a suitably detailed Web Service (API)  report, it is essential to understand the Web Service (API) interfaces to be tested. This understanding is achieved through a series of scoping questions to ascertain the size and complexity of the web services. We would also need to be provided with an API client, or valid sample raw requests to the API endpoint along with the data schemeas. 

External web service testing is conducted over the internet. We can also test internal web services via the internet, when Network Access Translation (NAT) is configured on the firewall and only ProCheckUp IP addresses are allowed access.  

Discovery Mapping

If you are unsure of what types of web services are exposed to the Internet, ProCheckUp can perform a web service identification map. This process can discover web services on common ports and attempt to identify the API endpoints and available methods

Enumeration

Once the web services have been identified, the services will be enumerated and then crawled if necessary. In this phase, the testers will follow all method references in the application in an attempt to map all of the content available. This is then analysed for dynamic content, user input and application variables. The information gathered in this phase is used in the later phases.

Authenticated Testing

If need be, ProCheckUp will ensure that the testing tools can authenticate to a web service to enumerate (and subsequently test) the content which is only available to authenticated users.

Testing

Once authentication has been successful and the content has been indexed, the pen testing can commence. This will search the web service API for common issues, including those in the OWASP Top 10.

Whilst each engagement is tailored to the particular technologies and functions used by the application, at a minimum for each assessment, consultants evaluate security across the following key areas:

  • Username enumeration
  • SQL injection
  • XML injection
  • CROSS SITE SCRIPTING (XSS) attacks (2nd/3rd order)
  • Login manipulation
  • Account lockout
  • Buffer overflows

False Positives

Once the testing has completed, a ProCheckUp consultant will analyse the results to verify enough evidence has been collated to justify any findings that are reported. Where the evidence is insufficient, or the finding is known to likely be a false positive, the consultant will attempt to confirm the issue.

 

Please contact us for more information on how ProCheckUp Application PenTesting Services can help you.


ACCREDITATIONS