Web and API Pentest
Interactive web applications are part of digital business models and have extensive rights in the infrastructure. Therefore, a check of the attack vectors is essential for your company.

Web and API Pentest

Interactive web applications are part of digital business models and have extensive rights in the infrastructure. Therefore, a check of the attack vectors is essential for your company.

What is Web and API Penetration Testing?

A web pentest, as the name suggests, is a penetration test that focuses solely on a web or API application and not on a network or enterprise. The underlying concept andobjectives for detecting security weaknesses and strengthening defense mechanisms are identical.

Our services offer complete protection against real threats. We check your front-end as well as back-end with all common database systems and the corresponding interfaces (API). Advanced knowledge in the area of operating systems and web servers enables us to uncover deep-seated vulnerabilities.

A data processing website needs special attention!

The web pentest is planned, executed and evaluated by our specially trained security engineers.

We protect your data from loss and check the compliance of defense mechanisms.
  • Compliance with industry safety standards with certification for the customer
  • Comprehensive recommendation for the elimination of the weaknesses
  • One-time verification free of charges
  • Own and constantly updated scanner software in addition to the usual commercial tools
  • Extensive research ensures that even daily weaknesses can be identified.
We carry out safety analyses based on recognised standards and guidelines.
  • We audit web applications using the OWASP Testing Guide. Our tools and procedures are able to identify the OWASP Top 10 vulnerability categories in the best possible way.
  • Our processes are adapted to the practical guidelines for pentests of the Federal Office for Information Security (BSI).
  • We have developed a comprehensive final report that provides an optimal insight into our work and its results. Pentests are conducted and evaluated according to the OWASP Testing Guide. Alignment with OSSTMM and PCIDSS is also possible upon request.

Pen Test Modules for a high level of IT Security

In general, the longer our security engineers examine your web applications or API, the more meaningful the results will be. If you have special requirements, we will be happy to make you an individual offer.

  • INFORMATION PROCUREMENT

    There are direct and indirect methods of search engine search and education. Direct methods refer to searching the indexes and the corresponding content from the cache. Indirect methods refer to the collection of sensitive design and configuration information by searching forums, newsgroups, and website advertisements.

  • CONFIGURATION MANAGEMENT

    The intrinsic complexity of the networked and heterogeneous Web server infrastructure, which can include multiple Web applications, makes configuration management and review a fundamental step in testing and deploying each application. Only one vulnerability is needed to compromise the security of the entire infrastructure.

  • SESSION MANAGEMENT

    One of the core components of any web-based application is the mechanism that controls and maintains state for a user interacting with it. This is called session management and is defined as the set of all controls that govern the stateful interaction between a user and the application.

  • ERROR HANDLING

    During a pentest of web applications we often encounter many error messages generated by applications or web servers. These error messages are very useful for attackers because they contain a lot of information about databases, errors, and other technological components that are directly connected to web applications.

  • IDENTITY MANAGEMENT

    In modern applications, it is common practice to define system roles to manage users and authorizations for system resources. Administrators represent a role that provides access to privileged and sensitive functions and information, while normal users represent a role that provides access to regular business functions and information.

  • AUTHENTICATION

    Testing the transport of the credentials means checking whether the data is transmitted from the browser to the server unencrypted or whether the web application uses the appropriate security measures with a protocol such as HTTPS. The HTTPS protocol is based on TLS/SSL to encrypt the transferred data.

  • AUTHORIZATIONS

    Many web applications use and manage data as part of their daily operations. With input validation methods that are not well designed or used, an attacker could exploit the system to read or write data that should not be accessible. In special situations, it may be possible to execute arbitrary system commands.

  • INPUT VALIDATION

    The most common vulnerabilities in web applications occur when user input is not properly validated. This weakness leads to almost all major vulnerabilities in Web applications, such as cross-site scripting, SQL injection, interpreter injection, local and Unicode attacks, file system attacks, and buffer overflows.

  • CRYPTOGRAPHY

    Sensitive data must be protected during transmission over the network. This data may include user data. Even if today's standard encryption is usually high-quality encryption, a misconfiguration can force weak encryption that allows an attacker to read sensitive data.

  • BUSINESS LOGIC

    Testing for errors in business logic often requires unconventional methods. When the authentication mechanism of an application is developed, perform steps 1, 2, 3 in this specific order to authenticate a user. What happens if the user goes from step 1 directly to step 3?

  • USER-SIDE VULNERABILITIES

    Client-side testing deals with the execution of code on the client, typically natively in a web browser or browser plug-in. The execution of code on the client side differs from the execution on the server and the return of subsequent content. This involves testing for all common types of cross-site scripting.

  • APIs

    Modern applications use an API to call micro services, perform actions or monitor user behavior. The design or structure of the API is often made publicly available to users. This structure allows the attacker to understand the API and use the information for further attacks.

  • Patch Management

    The term patch management describes the strategic control for the import of system updates, which are used to close security gaps in software applications that are only detected after the market launch. Outdated software packages or frameworks from external sources should always be kept up-to-date.

Web Pentest

Final Report of the IT Security Audit

We have developed a comprehensive reporting format that provides optimal insight into our work and its results. Pentests are conducted and evaluated according to the OWASP Mobile Security Testing Guide.

  • Our report is prepared according to recognized standards and includes a management summary, a technical summary and recommendations for action. The evaluation of the findings is based on the CVSS 3.0 standard.
  • Our detailed reporting format not only shows which vulnerabilities were identified during the pentest, but also which attack vectors were checked. Thus, you can optimally understand our work.
  • The final report is individually prepared and delivered both as a classic PDF document and in a special HTML format. In the dynamic HTML format, content and vulnerability findings can be filtered, sorted and exported to other formats.
  • In a joint final meeting, we discuss the details of the report with you and, if necessary, support you in eliminating the identified weaknesses.
Pentest-Report

Web Penetration Test Procedure

Pentests carried out by us are an agile process and are carried out in close consultation with the customer.

Kick-off
Kick-off

The preparation of the pentest takes place in the context of a kick-off meeting with the technical and organizational responsible persons of your company. The framework conditions to be tested are specified, necessary user accounts and access routes are agreed, contact persons and escalation routes are defined and the pentest is discussed in detail together.

Manual & Automated Research
Research

Our security engineers try to collect as much information as possible. Based on this information, analysis strategies are developed to identify possible attack vectors. These attack vectors are then examined for weak points in extensive tests.

Manual Exploitation
Manual Exploitation

Here we try to exploit the identified vulnerabilities in order to gain access to the target systems, using new or existing exploit writings by our pentester, depending on the respective service or technical environment. Potential vulnerabilities can turn out to be false positives. Only verified vulnerabilities are included in the final report and are classified according to their criticality in accordance with CVSS 3.0.

Report
Report

We have developed a comprehensive reporting format that provides optimal insight into our work and its results. It consists of a business risk analysis, management summary and a comprehensive test and vulnerability description. The criticality of the weaknesses and recommendations for action are described in detail.

Remediation (Optional)
Remediation

Once the analysis is complete, you will be able to fix the identified vulnerabilities, and our analysis will provide you with detailed recommendations about the respective vulnerability. If required, our security engineers can provide extensive support for the elimination.

Free Verification (Optional)
Nachprüfung

We are happy to re-examine the security weaknesses to ensure that the defense mechanisms have been implemented correctly. It is important to us that our recommendations are implemented, so this process activity is always free of charge.

Final Meeting & Certification (Optional)
Final Meeting

In the final meeting, all critical points in the results report are discussed and all questions are clarified. Finally, we will be pleased to present you with a certificate as proof for your customers.

Curious? Convinced? Interested?

Arrange a non-binding initial meeting with one of our sales representatives. Use the following link to select an appointment:

 Arrange a meeting

Alternatively, you can write us a message. Request a sample report or our service portfolio today. We will be happy to consult you!

Loading...