Web Application Penetration Testing services are derived from the the Open Web Application Security Project (OWASP) and heavily augmented by Real Time Dynamic Testing. OWASP is the de facto standard for designing and testing secure web applications. Netragard focuses on key areas of OWASP that include but are not limited to the following:
Can we send malicious code/scripts to the system?
A2 Broken Authentication and Session Management
Secure authentication is hard. Can we exploit parts of the app, like: Logout, password management, timeouts, remember me, secret questions, account update, etc.
A3 Cross-Site Scripting (XSS)
Can we untrusted data to exploit the interpreter in the browser? The most wide spread web application security flaw.
A4 Insecure Direct Object Reference
Can we change parameters to gain access to unauthorized objects?
A5 Security Misconfiguration
Can we access default accounts, unused pages, unpatched flaws, unprotected files or directories, etc. to gain unauthorized access to or knowledge of the system.
A6 Sensitive Data Exposure
Can we get unencrypted or weakly encrypted sensitive data by a man in the middle attack, exploiting the browser, stealing keys, interception clear text in transit, etc.
A7 Missing Function Level Access Control
Is access granted when a user changes parameters to access privileged functions?
A8 Cross-Site Request Forgery (CSRF)
Can we forge an HTTP request and trick users into submitting them?
A9 Using Components with Known Vulnerabilities
Can we use scanning or manual analysis to find a weak or bad components?
A10 Invalid Redirects and Forwards
Can we use the system to redirect or forward the user to a phishing site or malicious URL?