Web application auditing

If you are running a website, e-shop or any other web application, you are always worried about many information security news. Easily exploited vulnerabilities in commonly used software may cause outages of your web portal. Or worse can lead to data loss and leaks. The best defence is as usual prevention. And the best prevention is regular web application auditing in these cases.

We are not trying to reinvent the wheel – that is why we are using peer-reviewed methodology of testing your websites according to the OWASP TOP 10 list.

OWASP TOP 10

The list of the vulnerabilities tested follows:

1. Cross Site Scripting (XSS).
   A method of penetrating web pages using security flaws in associated scripts (mainly not sanitizing input fields). Using vulnerabilities of this kind the attacker can inject a custom code into the web page and can exploit this ability to either damage the page design or bar it from working at all. It is also commonly used for gaining unauthorized access to confidential information, bypassing security measures in general and for criminal activities like phishing.
2. Injection flaws.
   SQL injection is a method of attacking the database layer of the application by injecting a database language code using non-sanitized input field. This unwanted behaviour emerges on the border between application and database layer – which are usually two different running programs – and can be prevented by using proper database abstraction layer which ensures the untrusted data from input fields is properly encapsulated before sending to the database engine.
3. Malicious File Execution.
   If the attacker somehow manages to got malicious data on the application server, this vulnerability allows to execute such data opening whole range of attack vectors.
4. Insecure Direct Object Reference.
   Vulnerabilities of this class allow the attacker to gain information about distinct database objects of the target application without proper authorization. This also opens the possibility of gaining access to internal system information.
5. Cross Site Request Forgery (CSRF)
   is a method allowing the attacker to forge a web form on another web site which is then used to send unwanted request on behalf of the attack victim – a legitimate web site user. It is commonly possible to mount this attack by composing an appropriate HTTP request without actually creating any HTML form.
6. Information Leakage and Improper Error Handling.
   In case of application error a proper configuration of displaying debug information is necessary. This class of vulnerabilities allows the attacker to get certain system information after causing the application to report an error. An example of this vulnerability would be exposing the full script path by entering an invalid value into an input field.
7. Broken Authentication and Session Management.
   Login and further session management is important part of overall application security. Failure to enforce authentication or allowing attacker to steal legitimate user’s session may allow for unauthorized data access. It is important to pass login credentials securely and ensure safe storage of session identifiers.
8. Insecure Cryptographic Storage.
   A broad class of vulnerabilities allowing the attacker to compromise private key of one or both communication parties.
9. Insecure Communications.
   Giving an attacker opportunity to capture communication of other parties is a dangerous vulnerability in many applications employing no or weak encryption.
10. Failure to Restrict URL Access.
    In case the application allows for anonymous access to pages that should be available only for authenticated users there is a wide range of vulnerabilities can emerge by exposing possibly confidential data or system information.

Audit reports

After we have thoroughly tested your web application and have analysed the information gathered, we will provide you with:

• detailed technical report describing deficiencies found – including relevant risk assessment,
• management report with corrective actions suggested.

Of course we will be more than happy to discuss the technical aspects with your programmers and we are willing to help them with designing propel solution addressing the discrepancies.