Web Application Penetration Testing

Security Assessment

• Full Customization of Testing
• Web Application Penetration Testing:
• SANS Top 25 Full Coverage
• OWASP Top 10 Full Coverage
• PCI DSS 6.5.1-6.5.11 Full Coverage
• AI to Augment Human Testing and Analysis
• Machine Learning to Accelerate Testing
• Authenticated Testing (2FA / SSO)
• REST/SOAP API Testing

Reporting

• Threat-Aware Risk Scoring
• Tailored Remediation Guidelines
• Web Interface, PDF and XML Formats
• PCI DSS and GDPR Compliances
• CVE, CWE and CVSSv3 Scores
• Zero False-Positive SLA

Security Reporting Standards

• Common Vulnerabilities and Exposures (CVE) Compatible
• Common Weakness Enumeration (CWE) Compatible
• Common Vulnerability Scoring System (CVSSv3)
• OWASP Application Security Verification Standard (ASVS v4.0.2) Mapping

Remediation

Patch Verification Testing once

Covered Vulnerabilities

OWASP Top 10

• A1: Broken Access Control
• A2: Cryptographic Failures
• A3: Injection
• A4: Insecure Design
• A5: Security Misconfiguration
• A6: Vulnerable and Outdated Components
• A7: Identification and Authentication Failures
• A8: Software and Data Integrity Failures
• A9: Security Logging and Monitoring Failures
• A10: Server-Side Request Forgery

PCI DSS

PCI-DSS

• Improper Access Control
• Insecure Communications
• Cross-Site Request Forgery (CSRF)
• Improper Error Handling
• Broken Authentication and Session Management
• Injection Flaws
• Several other “High” Risk Vulnerabilities
• Buffer Overflows
• Cross-Site Scripting (XSS)
• Insecure Cryptographic Storage

SANS Top 25

Full Coverage of SANS Top 25 for all packages

• CWE-22: Path Traversal
• CWE-89: SQL Injection
• CWE-78: Command injection
• CWE-89: Blind SQL Injection
• CWE-79: Stored XSS
• CWE-90: LDAP Injection
• CWE-79: Reflected XSS
• CWE-91: XML Injection
• CWE-79: DOM-Based XSS
• CWE-93: CRLF Injection
• CWE-94: Code Injection
• CWE-113: HTTP Response splitting
• CWE-94: AJAX Injection
• CWE-200: Information Exposure
• CWE-94: JSON Injection
• CWE-255: Credentials Management
• CWE-97: SSI injection
• CWE-284: Improper Access Control
• CWE-98: Remote/Local PHP File Inclusion
• CWE-287: Authentication Bypass
• CWE-345: Insufficient Verification of Data Authenticity
• CWE-352: Cross-site request forgery (CSRF)
• CWE-384: Session Fixation
• CWE-400: Resource Exhaustion
• CWE-434: Arbitrary File Upload

Startup WAPT

Small Dynamic Websites

Presentational Websites

Audit a Small part of a Web App

Business Websites

WordPress

Drupal

Few Third-Party Plug-Ins

Red Teaming Exercises

WAPT Report in 3 business days