About

Web applications are commonly used to support key business functions and often hold critical or private data. They may be exposed to the general internet, and the impact of a compromise can be substantial.

Penetration Testing will help to identify vulnerabilities within the application so that you can resolve them.

Web Application Penetration Testing is our bread and butter. Our consultants have carried out hundreds of these assessments over the years.

How we can help

Pākiki have extensive experience carrying out security testing on web applications. Whether they are:

• In-house developed
• A commercial off-the-shelf solution you’re deploying
• Being provided by a vendor

We can help identify the vulnerabilities before they are exploited, and will provide detailed and practical remediation advice on how to fix them.

Methodology

We follow the OWASP methodology to ensure broad coverage across all vulnerability types. This explicitly includes checking for the OWASP Top 10 (where we can reasonably check those items). Broadly speaking, this involves checking for:

1. Information Gathering Understanding the application, how it communicates to and from any backing servers. What kind of application framework and platforms it’s using, so that we can further target and tailor any attacks.
2. Authentication How do users log in? Are all non-public pages adequately protected? Is there any way to bypass the login process or is it weak in any way?
3. Authorisation Are users only able to gain access to the data and resources that you intend them to?
4. Session management At a technical level, how does the site keep track of who is logged in, and is there any way to hijack another user’s session?
5. Input validation Are there any places where user input is mixed with “code” which may be executed by either the web browser or any backing services?

Where practical, we strongly recommend a whitebox approach, where the consultant is given access to the source code. This allows us to be more efficient in the time we have available to us and allows us to provide more detailed advice on how to resolve any issues.

What you get

At the end of the engagement, you’ll receive a written report, detailing:

• At a high level, what key issues were identified, and what they mean to the business.
• Detailed descriptions of all issues which were identified, including reproduction steps, and how you can remediate them.

Process

All of our engagements follow a similar process:

1. We start by scoping the engagement, understanding what you're looking for, discuss the technologies and platforms in use, and any key concerns that you may have. From this, we produce a Statement of Work detailing the effort required, cost, any prerequisites, and our approach to the engagement.
2. Once the Statement of Work is signed, we'll work with you to schedule the work.
3. Prior to the engagement starting, we'll be in touch to organise any prerequisites we require and where practical will test these prior to the engagement. This will ensure the engagement commences on time.
4. The consultant will start the engagement and will provide regular updates. Any high or critical severity issues will be notified when they are found.
5. At the end of testing, a report will be produced and provided.
6. A close-out meeting is held to provide any additional context around the business impact of what we identified, and to provide a chance for any further questions on how to remediate what was found.
7. Optional Retesting can be carried out in order to ensure that any vulnerabilities have been successfully remediated.

Get in touch

We’d love to hear about your next project.