contact us

+44 (0)845 52 000 85

excellence as standard

Web Application Testing Methodology

Nettitude’s Web Application Testing methodology is consistent with the testing methodology for Infrastructure based IT Penetration Tests.In addition, there are further elements conducted as part of the mapping, service identification, vulnerability assessment and exploitation phases.

Nettitude uses a blended approach of Open Source, Custom scripts and Commercial tools to conduct Web Application Testing.As part of a web application test, Nettitude will assess the following:

Application Re-Engineering

Nettitude conducts the following discrete tests for Web Application Assessments.

  • Decompose or deconstruct the binary codes, if accessible.
  • Determines the protocol specification of the server/client application.
  • Guess program logic from the error/debug messages in the application outputs and program behaviours/performance.

Authentication Assessment

  • Find possible brute force password guessing access points in the applications.
  • Find a valid login credentials with password grinding, if possible.
  • Bypass authentication system with spoofed tokens.
  • Bypass authentication system with replay authentication information.
  • Determine the application logic to maintain the authentication sessions -number of (consecutive) failure logins allowed, login timeout, etc.
  • Determine the limitations of access control in the applications - access permissions, login session duration, idle duration.

Session Management

  • Determine the session management information - number of concurrent sessions, IP-based authentication, role-based authentication, identity-based authentication, cookie usage, session ID in URL encoding string, session ID in hidden HTML field variables, etc.
  • Guess the session ID sequence and format.
  • Determine the session ID is maintained with IP address information; check if the same session information can be retried and reused in another machine.
  • Determine the session management limitations - bandwidth usages, file download/upload limitations, transaction limitations, etc.
  • Gather excessive information with direct URL, direct instruction, action sequence jumping and/or pages skipping.
  • Gather sensitive information with Man-In-the-Middle attacks.
  • Inject excess/bogus information with Session-Hijacking techniques.
  • Replay gathered information to fool the applications.

Input Manipulation

  • Find the limitations of the defined variables and protocol payload - data length, data type, construct format, etc.
  • Use exceptionally long character-strings to find buffer overflows vulnerability in the applications.
  • Concatenate commands in the input strings of the applications.
  • Inject SQL language in the input strings of database-tired web applications.
  • Examine "Cross-Site Scripting" in the web applications of the system.
  • Examine unauthorized directory/file access with path/directory traversal in the input strings of the applications.
  • Use specific URL-encoded strings and/or Unicode-encoded strings to bypass input validation mechanisms of the applications.
  • Execute remote commands through "Server Side Include".
  • Manipulate the session/persistent cookies to fool or modify the logic in the server-side web applications.
  • Manipulate the (hidden) field variable in the HTML forms to fool or modify the logic in the serverside web applications.
  • Manipulate the "Referer", "Host", etc. HTTP Protocol variables to fool or modify the logic in the serverside web applications.
  • Use illogical/illegal input to test the application error-handling routines and to find useful debug/error messages from the applications.

Output Manipulation

  • Retrieve valuable information stored in the cookies.
  • Retrieve valuable information from the client application cache.
  • Retrieve valuable information stored in the serialized objects.
  • Retrieve valuable information stored in the temporary files and objects.

Information Leakage

  • Find useful information in hidden field variables of the HTML forms and comments in the HTML documents.
  • Examine the information contained in the application banners, usage instructions, welcome messages, farewell messages, application help messages, debug/error messages, etc.

Authentication Assessment

Nettitude’s testing ensures that common best practice guidance and methodologies are covered including all components listed in the OWASP Top 10

Code Review

Nettitude can also undertake Web Application Code review exercises as part of their Security Testing Services. This involves running the code through a series of Security Tools, as well as working with a client’s application developers to identify logic based security flaws.

To find out how Nettitude can help you test your Web Applications for security vulnerabilities and exposures, please complete our contact form and a security consultant will respond to your enquiry.