Penetration Testing

Application penetration Testing is when we break applications to make them stronger.

Application penetration testing is a process designed to identify application level vulnerabilities.  It is done using unauthenticated and authenticated users.  Typically, the testing team will require access to accounts with each level of privilege supported by the application.

The process starts with reconnaissance about the application, pages, types of requests, data, and users.  The test goes one step deeper with tools that “fuzz” forms within the application. This practice sends requests that attempt XSS, SQL Injection, CSRF, and other types of vulnerabilities.  Subsequent steps involve capturing requests and replaying them with manually altered data to check for things like Broken Access Control, SQL Injection, XSS, Session Management and other items that can’t be confirmed in an automated scan.

An application penetration test includes tool-based spidering, scanning and fuzzing.  We use the commercial tool Burp together with open source tools such as ZAP, sqlmap, and others to generate and mutate potentially malicious traffic.  It also includes extensive manual analysis which is characterized by capturing and replaying requests and attempting intrusion using an attack proxy such as Burp.  By interacting with the application in ways similar to real users, we attempt to identify deficiencies that map to the OWASP Top 10, the SANS Top 25 and a custom checklist developed over our 10+ years in the industry.

How The Process Works

The general process when conducting penetration tests is as follows:

Deliverables

The core deliverable is a PDF report containing findings from the penetration test, including details about the issues identified and remediation recommendations.

Jemurai will also perform a “readout” call to explain any findings or answer questions and provide weekly status updates during the testing if applicable.