MTI Web Application Testing: Overview
MTI have developed an extensive Web Application testing methodology that is based on the OWASP Top Ten but also goes above and beyond this to incorporate many bespoke testing methodologies that our consultants have designed over many years of carrying out these types of test.
As trusted experts, MTI examine what is predominantly accessed over HTTP or HTTPS and attempt attacks that the traditional network firewall isn't designed to protect against. Interactive extranet and eCommerce applications can take thousands of man hours to code and are often very complex. Whilst some automated tools can find some issues, no web application can be reliably and fully tested using automated tools only and they require testing by experienced consultants.
Depending on the application, we perform appropriate testing in the following areas:
- Authentication
- Authorisation
- Account Management
- Session Management
- Cross Site Request Forgery (CSRF)
- Encryption
- Hidden field manipulation
- SQL and Script injection attacks
- Meta character stripping
- Parameter tampering
- Forceful browsing
- Form posting vulnerabilities
- Character bounds checks
- Buffer overflow checks
- Cross-site scripting
- Source code disclosure
- Back doors and debugging options
- Past errors disclosed (incl. Google diving)
- Newsgroup searches for information and technicians' query disclosures
- Third-party mis-configurations and insecure default configuration settings
- Known software vulnerabilities
- Code Reviews
Next Steps...
If you would like more information regarding Web Application Testing, please contact the MTI penetration testing team to discuss your requirements.