A web application assessment will test for many security issues which are commonly found in websites. A web application assessment focuses the entire test on the web application(s) that are being tested, rather than an all-inclusive test of running services that an external penetration test or internal penetration test would provide.

FortyNorth Security will assess your organization’s web application from different perspectives:

What can an unauthenticated attacker access and manipulate?

What can an attacker with normal user permissions access and manipulate?

If an attacker were to obtain administrative permissions on your web application, what can be performed?

FortyNorth Security will conduct the web application assessment following the same steps that an attacker would perform. A sample set of these steps include:

Understand the business purpose of the web application

Why does it exist?

What problem does it solve?

How does it make your business practices easier, or more efficient?

Identifying all pages associated with your web application and mapping links/relationships between the pages

Identify input fields within the targeted web application and test for the application to properly handle malicious input attacks such as SQL injection or cross-site scripting

FortyNorth Security will review the business logic associated with the web application and identify attacks that bypass critical steps

Test for improperly managed web application sessions

All testing can be tied to the OWASP Top 10 project to ensure breadth of testing for your web application. FortyNorth Security will use both internally developed and commercially purchased software to assist in performing the web application assessment.

The web application assessment is designed for customers who wish to test the security of a web application prior to use by internal employees or your customers. The web application test should also be used to identify vulnerabilities or misconfigurations within web applications which are currently in use.