Overview: Web Application Penetration Testing
We are Programmers with Hacking Experience
Raxis penetration testers have extensive experience as web developers using cutting edge as well as legacy web tools, databases and frameworks. We’ve worked extensively with languages from Node.js to Java frameworks such as Struts and with databases from MongoDB and MySQL to Oracle. Raxis has been successful in performing privilege escalation, information disclosure, and database compromise on multiple past projects. In past tests we have discovered private customer and system information using vectors such as SQL injection, file path traversal and cross-site scripting.
Don't Just Test the Login Form
Our testing will help you understand the potential security risks that you may be exposing your system to. We recommend that you provide credentials for various types of application users to ensure that we test the application from within in conjunction with testing as an unauthenticated user, though we are able to test the application’s external properties, and in some cases to gain elevated access, as an unauthenticated user as well.
Any internal Web applications can be accessed remotely using the Raxis Transporter solution, or we may travel to your site as needed.
Raxis Web Application Testing Features
- Fuzzing against any input variable to test for proper input sanitation
- Test each form in detail to ensure proper handling
- Check for login and ‘forgot password’ page vulnerabilities that are exposed to unauthenticated users
- Ensure session management is properly handled
- Attempt to brute force any applicable user credentials
- Attempt to access data outside of the intended user role permissions
- Test for injection vulnerabilities such as SQL injection, data path traversal and cross-site scripting
- Attempt to exfiltrate confidential data from the server or database
- If obtained, cracking of password hashes to be leveraged for additional access
Download our Penetration Testing Service Brief (PDF) for more information.
Transporter Remote Access
Raxis Transporter provides an easy to deploy "virtual wire" network connection to our manual penetration testers, vulnerability assessors, and R3 incident response team.
On-Site Penetration Testing
Sometimes it's necessary to be on-site to get access to internal networks or examine a breach first hand. No problem, our consultants will fly to you.
FAQ: Web Application Penetration Test
How does Raxis perform a Web Application Pen Test?
The web application penetration test can be performed either via internet from our office, on-site, or remotely using our Transporter device to your internal network. Once access is provided to the web application, Raxis will attempt to breach internal security controls as a potential outsider, rogue employee, or unauthorized user on the internal network. DNS reconnaissance and a vulnerability scan will be launched against the in scope ranges to quickly determine how to gain a foothold. Once a vulnerability is leveraged, Raxis will attempt to pivot into other systems in order to push further into the environment with the goal of obtaining and extracting sensitive data. We will use attacks designed specifically to gain access to internal data or escalate our privileges outside of the acceptable level of access.
How do you penetration test through a Web Application Firewall (WAF)?
If there are countermeasures in place to stop the scanning or other web application reconnaissance, Raxis can use techniques to bypass these controls. However, due to the productivity decrease that occurs, Raxis recommends to demonstrate the bypass as a proof of concept for the report, and then perform whitelisting to allow for a more complete test against the actual servers. Otherwise, using bypass techniques such as rotating IP addresses and targeted portscanning will significantly slow down the discovery phase and impact the final deliverable - while still potentially exposing the risk to a malicious attacker with more time.
What does web application penetration testing cost?
Raxis charges by the number of user roles and size of the web application. Costs range from as little as $3,000 to over $25,000 for a large enterprise web application.
How long does it take to perform a pen test against my web application?
While it depends largely on the number of user inputs and size of the application, most Raxis penetration tests are performed within 5 business days. We will work with you to get the right scope to meet your budget.
Yes. Raxis penetration testing and reports exceed NIST 800-115 standards required by most regulatory agencies. If a clean penetration test report is needed to meet requirements, we can work with you to re-test any findings and validate that the proper configuration changes or upgrades were made.
How often should I get a penetration test?
Many regulatory agencies require a penetration test each year, or after any changes are made to the software code or configuration. With self-built web applications, it is highly recommended to perform a penetration test at every release to ensure any new code does not introduce a new security risk.
A Smarter Way to Stay Secure
Learn how hacking can help find and fix security gaps you never knew about.