Skip to main content

What does our application pen test cover?

Testing methodology between Outpost24 Assure, Snapshot & SWAT


WASC v2ASSURESNAPSHOTSWAT

Abuse of Functionality

chek service descriptionchek service descriptionchek service description

Brute Force

chek service description

When safe

When safe

Buffer Overflow

chek service description

Supported but not safe

Supported but not safe

Content Spoofing

chek service descriptionchek service descriptionchek service description

Credential / Session prediction

chek service descriptionchek service descriptionchek service description

Cross-Site Scripting

chek service descriptionchek service descriptionchek service description

Cross-Site Request Forgery

chek service descriptionchek service descriptionchek service description

Denial of Service

chek service description

Safe checks

Safe checks

FingerPrinting

chek service descriptionchek service descriptionchek service description

Format String

chek service descriptionchek service descriptionchek service description

HTTP Response Smuggling

chek service descriptionchek service descriptionchek service description

HTTP Response Splitting

chek service descriptionchek service descriptionchek service description

HTTP Request Smuggling

chek service descriptionchek service descriptionchek service description

HTTP Request Splitting

chek service descriptionchek service descriptionchek service description

Integer Overflow

chek service description

Supported but not safe

Supported but not safe

LDAP Injection

chek service descriptionchek service descriptionchek service description

Mail Command Injection

chek service descriptionchek service descriptionchek service description

Null Byte Injection

chek service descriptionchek service descriptionchek service description

OS Commanding

chek service descriptionchek service descriptionchek service description

Path Traversal

chek service descriptionchek service descriptionchek service description

Predictable Resource Location

Time 

chek service descriptionchek service description

Remote File Inclusion

chek service descriptionchek service descriptionchek service description

Routing Detour

chek service descriptionchek service descriptionchek service description

Session Fixation

chek service descriptionchek service descriptionchek service description

SOAP Array Abuse

chek service descriptionchek service descriptionchek service description

Server Side Include Injection

chek service descriptionchek service descriptionchek service description

URL Redirector Abuse

chek service descriptionchek service descriptionchek service description

XPath Injection

chek service descriptionchek service descriptionchek service description

XML Attribute Blowup

chek service descriptionchek service descriptionchek service description

XML External Entities

chek service descriptionchek service descriptionchek service description

XML Entity Expansion

chek service descriptionchek service descriptionchek service description

XML Injection

chek service descriptionchek service descriptionchek service description

XQuery Injection

chek service descriptionchek service descriptionchek service description

Application Misconfiguration

chek service descriptionchek service descriptionchek service description

Directory Indexing

chek service descriptionchek service descriptionchek service description

Improper File-system Permissions

chek service descriptionchek service descriptionchek service description

Improper Input Handling

chek service descriptionchek service descriptionchek service description

Improper Output Handing

chek service descriptionchek service descriptionchek service description

Information Leakage

check service descriptioncheck service descriptioncheck service description

Insecure Indexing

chek service descriptionchek service descriptionchek service description

Insufficient Anti-Automation

chek service descriptionchek service descriptionchek service description

Insufficient Authentication

chek service descriptionchek service descriptionchek service description

Insufficient Authorization

chek service descriptionchek service descriptionchek service description

Insufficient Password Recovery

chek service descriptionchek service descriptionchek service description

Insufficient Process Validation

chek service descriptionchek service descriptionchek service description

Insufficient Session Expiration

chek service descriptionchek service descriptionchek service description

Insufficient Transport Layer Protection

chek service descriptionchek service descriptionchek service description

Server Misconfiguration

chek service descriptionchek service descriptionchek service description

Business Logic Flaws

chek service descriptionchek service descriptionchek service description

Framework Vulnerability

chek service descriptionchek service description

chek service description

WASC v2 is a list of standardized vulnerability classifications from The Web Application Security Consortium (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)


OWASP TOP 10 2013ASSURESNAPSHOTSWAT

A1-Injection

chek service descriptionchek service descriptionchek service description

A2-Broken Authentication and Session Management

chek service descriptionchek service descriptionchek service description

A3-Cross-Site Scripting (XSS)

chek service descriptionchek service descriptionchek service description

A4-Insecure Direct Object References

chek service descriptionchek service descriptionchek service description

A5-Security Misconfiguration

chek service descriptionchek service descriptionchek service description

A6-Sensitive Data Exposure

chek service descriptionchek service descriptionchek service description

A7-Missing Function Level Access Control

Time

chek service descriptionchek service description

A8-Cross-Site Request Forgery (CSRF)

Time

chek service descriptionchek service description

A9-Using Components with Known Vulnerabilities

chek service descriptionchek service descriptionchek service description

A10-Unvalidated Redirects and Forwards*
*server access required

chek service descriptionchek service descriptionchek service description

OWASP (Open Web Application Security Project) TOP 10 is a collection of the most commonly found and reported vulnerabilities in current web applications. It uses groupings of findings into families, and hence it is common that “OWASP COMPLETE” offerings address only subsets of the different threat families.

Outpost24 test OWASP top 10 2017 as well as 2013 where relevant.


Common VulnerabilitiesASSURESNAPSHOTSWAT

Cross Site Scripting – Reflected

chek service descriptionchek service descriptionchek service description

Cross Site Scripting – Persistent

chek service descriptionchek service descriptionchek service description

Cross Site Scripting – DOM-based

chek service descriptionchek service descriptionchek service description

HTTP Header Injection

chek service descriptionchek service descriptionchek service description

SQL Injection – Error based

chek service descriptionchek service descriptionchek service description

SQL Injection – Differentials based

chek service descriptionchek service descriptionchek service description

SQL Injection – Time Based

chek service descriptionchek service descriptionchek service description

Application Logic tested

Time

chek service descriptionchek service description

Password lockout tested

chek service descriptionchek service descriptionchek service description

Session randomness tested

Timechek service descriptionchek service description

Horizontal escalation testing

Timechek service descriptionchek service description

Vertical escalation testing

Timechek service descriptionchek service description

Insecure Direct Object Reference

Timechek service descriptionchek service description

Web Server vulnerabilities

chek service descriptionchek service descriptionchek service description

Local File Inclusion

chek service descriptionchek service descriptionchek service description

Remote File Inclusion

chek service descriptionchek service descriptionchek service description

Use of weak encryption

chek service descriptionchek service descriptionchek service description

Use of weak standard modules

chek service descriptionchek service descriptionchek service description

Common vulnerabilities is a selection of common threats as they are mentioned in writing and in practice between security specialists, and the different methods of addressing them and those methods limitations. Tools are viewed from their ability to maintain a good coverage, there may exist singular tests with low applicability, to manage to achieve a checkbox for applications, which should not be confused with actually supporting a family of vulnerabilities.


Monitoring and coverageASSURESNAPSHOTSWAT

Zero Touch Configuration

chek service descriptionchek service descriptionchek service description

Maximum links

TimeUnlimitedUnlimited

Continuous detection

chek service descriptionchek service descriptionchek service description

Test new deployed content

chek service descriptionRemediation onlychek service description

Detect changed credentials

chek service descriptionchek service descriptionchek service description

Time available for a test

3 days30 daysContinuous

Smart form testing

chek service descriptionchek service descriptionchek service description

Monitoring and coverage is the effort required to get a security review performed against an application, its ability to detect change to that application over time, and its support for learning to understand and work with a dynamic application. It is clear that the penetration test while in depth on coverage is very limited in its ability to support the organization with remediation or maintained security levels over time.


Verification and guidanceASSURESNAPSHOTSWAT

False positives removed

chek service descriptionchek service descriptionchek service description

Proof of exploitability provided

chek service descriptionchek service descriptionchek service description

Vulnerability rating put in context

chek service descriptionchek service descriptionchek service description

Context Aware CVSS scoring

chek service descriptionchek service descriptionchek service description

Unlimited re-testing and verifications

30 days30 dayschek service description

Ask experts for advice on remediation

30 days30 dayschek service description

Smart vulnerability grouping

chek service descriptionchek service descriptionchek service description

Verification and guidance relates to how much effort and what degree of expert competence an organization need to maintain internally to be able to use and benefit from a solution over time. Web application security is a niche competence, and often is expensive to maintain and hone within an organization.
Vulnerability grouping is important to ensure that root cause analysis is performed to avoid high workload to address what in essence is a single root problem.


Production safetyASSURESNAPSHOTSWAT

Production safe testing

MediumHighHigh

Low traffic and database intensity

MediumMediumLow

Submits forms only when safe

chek service descriptionchek service descriptionchek service description

Prevents dangerous link use

chek service descriptionchek service descriptionchek service description

Production Safety relates to the risk that a scanner or test affect the test object. Often the penetration test is also not production safe, but it can be on specific request, and hence it has been evaluated with this considered a key priority for the client.
Production safety is key for business critical applications, any customer facing applications or any applications where data integrity is of importance.


SupportASSURESNAPSHOTSWAT

Onboarding call

chek service descriptionchek service descriptionchek service description

Vulnerability discussions

chek service descriptionchek service descriptionchek service description

Verification and remediation support

chek service descriptionchek service descriptionchek service description

Professional support directly in tolls

chek service descriptionchek service descriptionchek service description

Access to security specialists

30 days30 daysUnlimited

Support is important to ensure that you have full value from a solution and can work quickly to resolve both findings and technical problems.
Most applications are delivered with a limited support, mainly focused on pure tool support such as license questions and usage. Penetration testing usually carry an excellent support during the test itself, but come without long term commitments from the partner as this is a one of engagement where the business transaction and relationship ends with the delivery of the report.
Sometimes penetration testers offer a re-test to verify that problems are resolved, but it is a one off engagement also in this case, meaning ongoing verifications as you remediate is not available, and in case a problem is not solved, having one more verification later can be a challenge.


Legend

Fulfilled

chek service description

Partially fulfilled

/

Not fulfilled

chek service description

Looking for anything in particular?

Type your search word here