• About
• Security testing
• IT Governance
• Training
• Projects
• Advisories

Web Application Tests

A buggy web application can lead to a complete infrastructure compromise (yes, we have seen cases like this in the real world). Web applications can suffer from all kinds of problems ranging from remote code injection (an attacker can make the application execute arbitrary code), to access control problems (one user can view other users' private data).

We offer in-depth security analysis of web applications, including if necessary a source code review. We have extensive exprerience testing various web applications, such as on-line banking, e-commerce, web mail, online customer care, forums, etc. We have performed source code reviews on applications written in Java, PHP, ASP, ASP.NET, C#, and C/C++.

Web applications are usually checked for the following problems:

• Authentication. Does the application provide sufficiently strong authentication? Are there any ways to bypass authentication? If passwords are used are password management mechanisms (password reset, password change) securely implemented?
• Authorization. Are authorization checks consistently implemented? Is it possble to access some pages in the application without authorization? Is it possible to perform actions that require authorization without it?
• Access control. Is it possible to access other users' data? Is it possible to gain access to administration or management functions?
• Session management. How is session management implemented? Is it possible to predict or guess session tokens?
• Application logic. Is it possible to make the application do something unexpected, for example, buy negative amount of items, or bypass order payment?
• SQL injection. Does the application properly handle user input when used in SQL queries?
• Cross-site scripting. Does the application treat user input properly if it is displayed to the same or other users?
• Code injection. Does the application use user input to construct include paths? Does the application use some user input in eval() statements? Is it possible to upload executable files?
  
• Directory traversals. Does the application use user input to construct file names?
• LDAP filter injection, XPath injection, etc.