Web Application Penetration Testing WAPT

Web Application Penetration Testing WAPT

Web Application Penetration Testing is a legal, structured procedure to evaluate the security posture of an organization. This practice simulates an attack against the infrastructure such as its network, applications, and users, to identify the exploitable vulnerabilities. For any reason, ICT Academy will deliver a comprehensive report that helps you to close the security gaps and maintain the Confidentiality, Integrity, and Availability of your critical web application assets.

The ICT Academy Approach:

ICT Academy begins all web application penetration test using methodologies based on the EC Council or OWASP Penetration Testing Phases and The Penetration Testing Execution Standard (PTES). Based on the needs but all testing by ICT Academy is manually performed by human. We are ethical hackers, during testing, we employ tools, techniques and procedures that are identical to what you would face with a black hacker.

Every web application is different challenge scenario, below description gives a generic overview of some of the areas that will be assessed by the penetration testers:

Research (Information Gathering & Reconnaissance) / Enumeration – This exercise actual penetration test and involves investigating the underlying servers and web applications for possible vulnerabilities and weaknesses that may be exploitable. Identifying entry points (finding vulnerabilities or open ports where a hacker can access your business and steal valuable information or even do damage).

Targeting/Exploiting (Gaining and Maintaining access) – In this two test phase, ICT Academy will look to exploit any weaknesses or vulnerabilities identified in the underlying servers and web application with the objective of breaching it from a black box perspective (i.e. no credentials of the systems).

In the next, we will use a combination of automated and manual exploration techniques to test the application in more depth. Testing can include high-level categories such as:

Injection (flaws and attacks)
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Security Misconfigurations
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Known Vulnerability Testing

Reporting and Deliverables:

Penetration Testing Reports – Following any testing, a full detailed report shall be made available. The report will outline items such as the testing methods used, the findings, any proof-of-concept code for successful exploits.

Exploit Proof of Concept – In the event of a successful exploit, breach or compromise, ICT Academy shall document the testing methodology used, record all gathered evidence.