The security of the data in your web application is extremely important to you. How protected are you at the moment? If you want to know exactly that, NFIR can use our custom services to test the security of your web application against the OWASP WSTG standard.
The following environments can be included in a web application pen test: all types of web applications, as well as APIs.
What attack scenarios are possible for web application pen testing?
The most common attack scenario for web application pen testing is a pen test that mimics both Black and Grey Box attack perspectives. However, NFIR’s preference is for a White Box attack perspective. Because more complete information is available to the pen tester from this attack perspective, the pen tester can work more efficiently and greater coverage is achieved with this attack perspective in terms of logic of the web application tested during the pen test. During an intake the wishes will be mapped out in order to choose a suitable scenario.
Black Box of the web application
With minimal information a picture will be formed of vulnerabilities in the web application. By means of open source research (OSINT) as much information as possible will be collected to discover vulnerabilities.
Grey Box of the web application
This scenario simulates what a malicious hacker might do when gaining access to an account on the web application. Different accounts with different roles within the web application will be examined. Which vulnerabilities are present and is it possible to increase the privileges to administrator rights?
White box of the web application
In this attack perspective, the pen tester not only has limited information about the operation of the web application and logins, but also the source code of the web application. This allows for more efficient pen testing, as well as checking for vulnerabilities in the software dependencies used.
NFIR uses the Web Security Testing Guide (WSTG) for pen testing web applications. This standard gives you the guarantee that the pen test is carried out completely and according to the correct standards. In addition, the most recent versions of the OWASP Top 10 are used for both web applications and APIs. We find it important to be as transparent as possible about the execution of the pen test. For this reason, we offer a checklist for various pen testing standards which is added to the report. This allows you to see which checks have been carried out, which could not be carried out and which, if any, were not applicable.
Sample report web application pen testing
A sample report (NL/EN) of an internal black box pen test is available. In this report, a pen test was performed on a fictitious environment, whereby vulnerabilities were made transparent.
Which systems can you have tested by NFIR's experts?
Which systems can you have tested by NFIR’s experts? Our ethical hackers check the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have a different environment that you would like to have controlled, we will be happy to discuss it with you.