Web Application and Web-API Penetration Testing
Complex web applications and APIs often offer a variety of possible attack vectors, making them a popular target for attackers. To raise awareness of web application security, the Open Web Application Security Project (OWASP) maintains a list of the 10 most common vulnerabilities in web applications. The current version of the OWASP Top 10 of 2021 provides insight into what threats web applications are commonly exposed to:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forging
Web application penetration testing helps identify and address such vulnerabilities within such applications. To ensure that all aspects of the application under investigation are checked, our approach is based on the OWASP Web Security Testing Guide (WSTG), which contains a variety of test modules for verifying the OWASP Application Security Verification Standard (ASVS). In addition, we always check the underlying IT infrastructure for open ports, other vulnerable services, and TLS configuration.
OWASP Application Security Verification Standard (ASVS)
During a web application penetration test, we check your application for compliance with 283 security controls defined in the OWASP ASVS. Depending on the protection requirements of your application, the test is performed at Level 1 (basic), Level 2 (increased protection requirements) or Level 3 (maximum protection requirements).
