Web Application Penetration Testing

The steps below summarise the methodology we use for Web Application penetration testing.  

Step 1) – Reconnaissance  

Step one is used primarily for reconnaissance. The application is thoroughly assessed to determine which technologies are used, what functionality is present, and if further undisclosed features are present follow The CYBX team is experienced at providing cyber enumeration  with relation to items such as (e.g., back-end login portals, API functionality).  

Step 2) – Testing (OWASP Top 10, SANS Top 25)  

Step two forms much of the penetration testing methodology. At this stage, the tester(s) conduct a complete application assessment and, if required, exploit features to determine and document security weaknesses. All applicable criteria within the OWASP Top 10 and the SANS Top 25 are tested to ensure complete coverage of the application and meet the highest security standards currently present within the industry. The OWASP Top 10 and SANS Top 25 are the most prominent, most comprehensive Web Application Security guidelines available now and are followed strictly to ensure that the most critical tests are covered in detail. 

Step 3) – Reporting

The final step is used to collate all findings from the reconnaissance and testing phase of the engagement, and write a comprehensive report to detail findings, methodology used to discover these, and remediation steps to resolve any issues present within the application. Each finding has a specific action tied to it for clear remediation guidance to eliminate the security risk identified.

98% of organisations have reported attacks on their web and mobile applications.” – VaaData 2021 Statistics