Web Application Penetration Testing
We test your web application the way attackers do. Not the way compliance checklists say to.
Web Application Penetration Testing That Finds Logic Flaws, Not Just Known CVEs
Our Web Application Penetration Testing Service is different from standard penetration tests due to its focused scope on application-specific vulnerabilities, business logic flaws, and complex user interactions within web-based systems.
Comprehensive Role-Based Testing
By thoroughly testing each user role, organizations can create a more robust and secure environment that accurately reflects their intended access control structure and minimizes the risk of unauthorized access or data breaches.
Cross-Customer Users
Software as a Service (SaaS) customers often require testing to validate that the customers who use the web application are not able to access other customers’ data.
Restricted User
Testing as a user with limited permissions makes it possible for our engineers to attempt operations that should only be accessible to higher level users.
Unauthenticated User
We hunt for flaws in the login process as well as authentication bypass techniques such as SQL injection, cross-site scripting, and session fixation.
Administrative User
Once logged in, Raxis maps out the application, looking for technical vulnerabilities as well as business logic gaps and flaws.
Web Application Attack Vectors We Test for on Every Engagement
By simulating real-world attacks, Raxis Web Application Penetration Testing uncovers hidden weaknesses in web applications, including injection flaws, authentication vulnerabilities, and misconfigurations, allowing organizations to proactively strengthen their security posture and ensure compliance with industry regulations.
Broken Access Control
This vulnerability occurs when access restrictions are not properly enforced, allowing attackers to bypass authorization. It’s the most prevalent vulnerability according to recent OWASP rankings.
Injection Flaws
These vulnerabilities, including SQL injection and cross-site scripting (XSS), allow attackers to insert malicious code into applications. SQL injection targets databases, while XSS enables attackers to inject malicious scripts.
Cryptographic Failures
Previously known as “Sensitive Data Exposure,” this category involves vulnerabilities related to inadequate protection of sensitive information, often due to weak or improper cryptographic practices.
Insecure Design
Insecure design refers to flaws or weaknesses in a software system’s architecture, design, or logic that can be exploited by malicious actors, often resulting from a lack of security considerations during the early stages of development.
Security Misconfigurations
These vulnerabilities arise from improperly configured application settings, default accounts, or exposed error messages that reveal sensitive information.
Cross-Site Request Forgery (CSRF)
CSRF attacks trick users into performing unintended actions on a web application where they’re authenticated.
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
Authentication Failures
This vulnerability allows attackers to make the server perform unintended requests, potentially bypassing security controls.
Business Logic Errors
Business logic errors are vulnerabilities that arise when an application’s legitimate processing flow can be manipulated to produce unintended negative consequences for the organization.
Raxis Hack Stories
Our stories are based on real events encountered by Raxis engineers; however, some details have been altered or omitted to protect our customers’ identities.
How a Single Quote Dumped an Entire E-Commerce Database
While running through our usual array of unauthenticated web app checks, our pentester discovered that a small e-commerce site’s login prompt allowed CTF-like SQL injection. Emboldened by this success, he successfully accessed multiple accounts with ‘ OR 1=1–. During this process he successfully gained access to administrator accounts.
While accessing user accounts was fun, he decided to dig deeper using SQLMap. He crafted a request file with the vulnerable login parameters and ran sqlmap -r login.txt. SQLMap worked its magic, revealing the application’s databases. With a few more commands, he was able to enumerate tables, columns, and ultimately download the entire database, including encrypted passwords and personal information for all users, from admins to customers.
The ease with which SQLMap extracted sensitive data, while making for a great pentest report, was concerning for our customer. As a critical finding, our pentester alerted our customer immediately with remediation steps that could — and did — take place within the time of the test, allowing our pentester to confirm remediation of this critical issue all within the testing timebox. Mind you, he did login to the web application as the CEO using the information he had gathered while they were remediating the issue, just to get a nice screenshot for the proof of concept on his report.
