Use Our Offense to Inform Your Defense
Web-based security assessments help an organization gain a clear understanding of the risks facing their information assets where they tend to be most accessible – via web applications, web services, thick clients, and legacy applications.
Whether a high-level overview or a thorough, in-depth review is desired, DISD works with your staff to produce prioritized findings, recommendations, and remediation or mitigation steps to fit your organization's profile.
DISD performs web application security assessments according to a well-developed and refined methodology, in order to provide thorough, accurate, and reproducible results covering the web application, platform, and server. Testing initially focuses at the network and server levels, to identify extraneous services, known software vulnerabilities, and mis-configurations. Consultants then focus on enumerating application-level functionality and settings, and use these details to conduct tailored, manual testing in areas such as input validation, session state management, and privilege separation.
DISD uses a combination of well-known tools such as Nikto, Burp Suite, skipfish, w3af, and ratproxy; internally-developed scripts to improve the efficiency and accuracy of tests; and attentive manual web application testing techniques.
Areas of testing focus in a web application security assessment include, but are not limited to:
- Identification of server and application technologies
- Enumeration of supported services and methods
- Identification of supporting and interfacing technologies
- Server configuration management analysis
- Unauthenticated content crawling
- Authenticated content crawling, using various roles / permission levels
- Identification of administrative functionality
- SSL / TLS configuration review
- Authentication methods review
- Identification of input validation mechanisms
- Session state tracking analysis
- Authentication requirements analysis
- Identification of verbose error messages
- Discovery of hidden content
- URL parameter tampering attempts
- Horizontal and vertical privilege escalation attempts
- Blind and in-band SQL injection testing
- Reflected, stored, and DOM-based cross-site scripting (XSS) testing
- Identification of sensitive information disclosure
- Susceptibility to phishing analysis
- Cross-site request forgery (CSRF) testing
- Command injection testing
- Directory traversal testing
- Account harvesting attempts
- Cookie settings analysis
Web services testing involves many of the same activities and techniques, but often requires different tools compatible with web services protocols and data interchange formats.
In addition to the traditional web application testing activities described above, web services testing often includes:
- Service discovery
- Identification of web service platforms and technologies
- Method enumeration via WSDL contents, traffic interception, and brute-force techniques
- Known vulnerability checks
- Administrative interface testing
- Attachment testing
- SOAPAction spoofing
- Routing detour attacks
- Request replay attacks
- Identification of WS-Security extensions
- XML structural testing
- XML content testing
- XPath injection testing
DISD works with our customers to identify the goals of security assessments prior to testing, and is available to assist in remediation efforts upon request.