Web Application Testing

Web applications are increasingly the front line interface, both between you and your customers, and within your organisation. Integralis Web Application Testing services build on our Penetration Testing services to give you a comprehensive view of your vulnerabilities and risk.

Our web application security experts employ a combination of automated tests using the latest tools and technology and manual testing and examination. We include a detailed analysis of any custom website application logic so that we gain a thorough understanding of your web application risks.

The Integralis Web Application Testing service uses a number of ‘Black-Box’ (i.e. no knowledge of internal application mechanisms) procedures in order to try to identify potential weaknesses in web applications – as viewed from a web browser interface. The service typically covers the following aspects:

• HTTP request/responses
• HTTP supported methods supported
• HTTP authentication methods
• HTTP session management: Cookies, Session ID’s, ViewState decoding
• Manipulation and analysis of data stored in Cookies
• URL encoding to bypass IDS/IPS logic
• Input via forms, field validation
• FORM content, query strings, field buffer overflow issues
• Information leakage
• Exception condition handling
• Data handling
• robots.txt content analysis
• SQL injection
• HTTP login brute forcing
• User spoofing or manipulation of user credentials
• Cross-Site Request Forgery vulnerabilities
• Cross-Site Scripting vulnerabilities

Authenticated testing can be used to identify authorisation issues that could result in privilege escalation; a user increasing their user privileges or gaining access to other user’s information at the same privilege level.

The output of each project is a formal report.