Webportals

Web Application Penetration Testing

  • Compliance certification for OWASP Top Ten certifications

  • Web portal penetration testing(CSPF Methodology)

Information Gathering:

  • Check website’s robots.txt .(Reaction to Spiders, Robots, and Crawlers)
  • Indexing by Search Engine’s.(Check for document/information disclosure)
  • Web Application Fingerprinting.
  • Information Disclosure due to error messages and banner grabbing.
Configuration Testing:
  • SSL/TLS checks.
  • Database testing.
  • Check for backup files and databases.
Authentication Testing:
  • Check if credential transport is over encrypted.
  • Testing for authenticationbypass bugs.
  • Bruteforce and Dictionary attacks against login forms.
  • Test password reset forms.
  • Testing CAPTCHA implementation.
Session Management:
  • Testing how web application handles expired cookies and browser cache.
  • Check how web application reacts to spoofed or forged cookies.
  • Testing for CSRF. (Cross Site Request Forgery)
Authorization Testing:
  • Check for path transversal vulnerabilities.
  • Testing for Privilege escalation of accounts.
Data Validation Testing:
  • Check for Cross Site Scripting (XSS):
  1. Reflected
  2. Stored
  3. DOM based
  • Cross Site Flashing
  • Check for SQL Injection:
  1. Oracle
  2. MySQL
  3. MsSQL
  4. SQL Server
  5. MS Access
  6. PostgreSQL
  • LDAP Injection
  • ORM Injection
  • XML Injection
  • SSI Injection
  • IMAP/SMTP Injection
  • Code Injection
  • Command Injection
  • Overflow vulnerabilities
DOS Attacks
  1. SQL wildcard attacks.
  2. Locking accounts.
  3. Buffer Overflow.
AJAX Testing
Web Services Testing
  • SOAP Attacks.
  • Replay Testing.
Tools to be used:
  • Burp Suite.
  • Iron Wasp.
  • Retina Scanner.
  • SqlMap.
  • Havij.
  • Metasploit. (Web modules)
  • Nmap.
  • Netcat.
  • Nessus.
  • Joom Scan.
  • W3af.
  • FOCA.
  • Maltego.
  • Xenotix XSS Framework.
  • Assortment of stress testers.
  • WP scan (If applicable).