About

Web applications are commonly used to support key business functions and often hold critical or private data. They may be exposed to the general internet, and the impact of a compromise can be substantial.

Penetration Testing will help to identify vulnerabilities within the application so that you can resolve them.

Web Application Penetration Testing is our bread and butter. Our consultants have carried out hundreds of these assessments over the years.

How we can help

Pākiki have extensive experience carrying out security testing on web applications. Whether they are:

• In-house developed
• A commercial off-the-shelf solution you’re deploying
• Being provided by a vendor

We can help identify the vulnerabilities before they are exploited, and will provide detailed and practical remediation advice on how to fix them.

Methodology

We follow the OWASP methodology to ensure broad coverage across all vulnerability types. This explicitly includes checking for the OWASP Top 10 (where we can reasonably check those items). Broadly speaking, this involves checking for:

1. Information Gathering Understanding the application, how it communicates to and from any backing servers. What kind of application framework and platforms it’s using, so that we can further target and tailor any attacks.
2. Authentication How do users log in? Are all non-public pages adequately protected? Is there any way to bypass the login process or is it weak in any way?
3. Authorisation Are users only able to gain access to the data and resources that you intend them to?
4. Session management At a technical level, how does the site keep track of who is logged in, and is there any way to hijack another user’s session?
5. Input validation Are there any places where user input is mixed with “code” which may be executed by either the web browser or any backing services?

Where practical, we strongly recommend a whitebox approach, where the consultant is given access to the source code. This allows us to be more efficient in the time we have available to us and allows us to provide more detailed advice on how to resolve any issues.

Get in touch

We’d love to hear about your next project.