What does our application pen test cover?
Testing methodology between Outpost24 Assure, Snapshot & SWAT, our web application testing solutions
| WASC v2 | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
Abuse of Functionality |
 |
 |
|
|
Brute Force |
|
When safe |
When safe |
|
Buffer Overflow |
|
Supported but not safe |
Supported but not safe |
|
Content Spoofing |
|
|
|
|
Credential / Session prediction |
|
|
|
|
Cross-Site Scripting |
|
|
|
|
Cross-Site Request Forgery |
|
|
|
|
Denial of Service |
|
Safe checks |
Safe checks |
|
FingerPrinting |
|
|
|
|
Format String |
|
|
|
|
HTTP Response Smuggling |
|
|
|
|
HTTP Response Splitting |
|
|
|
|
HTTP Request Smuggling |
|
|
|
|
HTTP Request Splitting |
|
|
|
|
Integer Overflow |
|
Supported but not safe |
Supported but not safe |
|
LDAP Injection |
|
|
|
|
Mail Command Injection |
|
|
|
|
Null Byte Injection |
|
|
|
|
OS Commanding |
|
|
|
|
Path Traversal |
|
|
|
|
Predictable Resource Location |
Time |
|
|
|
Remote File Inclusion |
|
|
|
|
Routing Detour |
|
|
|
|
Session Fixation |
|
|
|
|
SOAP Array Abuse |
|
|
|
|
Server Side Include Injection |
|
|
|
|
URL Redirector Abuse |
|
|
|
|
XPath Injection |
|
|
|
|
XML Attribute Blowup |
|
|
|
|
XML External Entities |
|
|
|
|
XML Entity Expansion |
|
|
|
|
XML Injection |
|
|
|
|
XQuery Injection |
|
|
|
|
Application Misconfiguration |
|
|
|
|
Directory Indexing |
|
|
|
|
Improper File-system Permissions |
|
|
|
|
Improper Input Handling |
|
|
|
|
Improper Output Handing |
|
|
|
|
Information Leakage |
|
|
|
|
Insecure Indexing |
|
|
|
|
Insufficient Anti-Automation |
|
|
|
|
Insufficient Authentication |
|
|
|
|
Insufficient Authorization |
|
|
|
|
Insufficient Password Recovery |
|
|
|
|
Insufficient Process Validation |
|
|
|
|
Insufficient Session Expiration |
|
|
|
|
Insufficient Transport Layer Protection |
|
|
|
|
Server Misconfiguration |
|
|
|
|
Business Logic Flaws |
|
|
|
|
Framework Vulnerability |
|
|
|
WASC v2 is a list of standardized vulnerability classifications from The Web Application Security Consortium (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)
| OWASP TOP 10 2013 | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
A1-Injection |
|
|
|
|
A2-Broken Authentication and Session Management |
|
|
|
|
A3-Cross-Site Scripting (XSS) |
|
|
|
|
A4-Insecure Direct Object References |
|
|
|
|
A5-Security Misconfiguration |
|
|
|
|
A6-Sensitive Data Exposure |
|
|
|
|
A7-Missing Function Level Access Control |
Time |
|
|
|
A8-Cross-Site Request Forgery (CSRF) |
Time |
|
|
|
A9-Using Components with Known Vulnerabilities |
|
|
|
|
A10-Unvalidated Redirects and Forwards* |
|
|
|
OWASP (Open Web Application Security Project) TOP 10 is a collection of the most commonly found and reported vulnerabilities in current web applications. It uses groupings of findings into families, and hence it is common that “OWASP COMPLETE” offerings address only subsets of the different threat families.
Outpost24 test OWASP top 10 2017 as well as 2013 where relevant.
| Common Vulnerabilities | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
Cross Site Scripting – Reflected |
|
|
|
|
Cross Site Scripting – Persistent |
|
|
|
|
Cross Site Scripting – DOM-based |
|
|
|
|
HTTP Header Injection |
|
|
|
|
SQL Injection – Error based |
|
|
|
|
SQL Injection – Differentials based |
|
|
|
|
SQL Injection – Time Based |
|
|
|
|
Application Logic tested |
Time |
|
|
|
Password lockout tested |
|
|
|
|
Session randomness tested |
Time | |
|
|
Horizontal escalation testing |
Time | |
|
|
Vertical escalation testing |
Time | |
|
|
Insecure Direct Object Reference |
Time | |
|
|
Web Server vulnerabilities |
|
|
|
|
Local File Inclusion |
|
|
|
|
Remote File Inclusion |
|
|
|
|
Use of weak encryption |
|
|
|
|
Use of weak standard modules |
|
|
|
Common vulnerabilities is a selection of common threats as they are mentioned in writing and in practice between security specialists, and the different methods of addressing them and those methods limitations. Tools are viewed from their ability to maintain a good coverage, there may exist singular tests with low applicability, to manage to achieve a checkbox for applications, which should not be confused with actually supporting a family of vulnerabilities.
| Monitoring and coverage | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
Zero Touch Configuration |
|
|
|
|
Maximum links |
Time | Unlimited | Unlimited |
|
Continuous detection |
|
|
|
|
Test new deployed content |
|
Remediation only | |
|
Detect changed credentials |
|
|
|
|
Time available for a test |
3 days | 30 days | Continuous |
|
Smart form testing |
|
|
|
Monitoring and coverage is the effort required to get a security review performed against an application, its ability to detect change to that application over time, and its support for learning to understand and work with a dynamic application. It is clear that the penetration test while in depth on coverage is very limited in its ability to support the organization with remediation or maintained security levels over time.
| Verification and guidance | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
False positives removed |
|
|
|
|
Proof of exploitability provided |
|
|
|
|
Vulnerability rating put in context |
|
|
|
|
Context Aware CVSS scoring |
|
|
|
|
Unlimited re-testing and verifications |
30 days | 30 days | |
|
Ask experts for advice on remediation |
30 days | 30 days | |
|
Smart vulnerability grouping |
|
|
|
Verification and guidance relates to how much effort and what degree of expert competence an organization need to maintain internally to be able to use and benefit from a solution over time. Web application security is a niche competence, and often is expensive to maintain and hone within an organization.
Vulnerability grouping is important to ensure that root cause analysis is performed to avoid high workload to address what in essence is a single root problem.
| Production safety | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
Production safe testing |
Medium | High | High |
|
Low traffic and database intensity |
Medium | Medium | Low |
|
Submits forms only when safe |
|
|
|
|
Prevents dangerous link use |
|
|
|
Production Safety relates to the risk that a scanner or test affect the test object. Often the penetration test is also not production safe, but it can be on specific request, and hence it has been evaluated with this considered a key priority for the client.
Production safety is key for business critical applications, any customer facing applications or any applications where data integrity is of importance.
| Support | ASSURE | SNAPSHOT | SWAT |
|---|---|---|---|
|
Onboarding call |
|
|
|
|
Vulnerability discussions |
|
|
|
|
Verification and remediation support |
|
|
|
|
Professional support directly in tolls |
|
|
|
|
Access to security specialists |
30 days | 30 days | Unlimited |
Support is important to ensure that you have full value from a solution and can work quickly to resolve both findings and technical problems.
Most applications are delivered with a limited support, mainly focused on pure tool support such as license questions and usage. Penetration testing usually carry an excellent support during the test itself, but come without long term commitments from the partner as this is a one of engagement where the business transaction and relationship ends with the delivery of the report.
Sometimes penetration testers offer a re-test to verify that problems are resolved, but it is a one off engagement also in this case, meaning ongoing verifications as you remediate is not available, and in case a problem is not solved, having one more verification later can be a challenge.
| Legend | |
|---|---|
|
Fulfilled |
|
|
Partially fulfilled |
/ |
|
Not fulfilled |
|