Web Application Pentesting
atreya supports organizations deliver assurance around their web based applications and services. Through web application penetration testing, Aatreya identifies vulnerabilities that could expose an organization's assets, their data, their people and their process.
Our Web Application Methodology
The OWASP Top 10 is a list of the most common types of security issues that impact web applications. It is referenced by many security standards including PCI DSS, Defence Industry Security Association (DISA), MITRE, Federal Trade Commission (FTC) and more.
All of Aatreya web application and penetration testing engagements cover the OWASP top 10. In addition, Aatreya goes deeper to assess the fundamental application logic, whilst also assessing the access controls that deliver security roles and user partitioning.
Aatreya also pulls in information from external sources such as Facebook, LinkedIn and Twitter, to provide social engineering and authentication based attacks vectors. Combining these approaches together provides customers with a much more holistic approach to web application security testing.
Aatreya carries out web application testing to assess the following elements of the OWASP Top 10:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A4: Insecure direct object references
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration (CSRF)
- A7: Insecure cryptographic storage
- A8: Failure to restrict URL access
- A9: Insufficient transport layer protection
- A10: Unvalidated redirects and forwards
The OWASP Top 10 is a strong starting point for web application testing, but organizations should really look to go beyond this. The underlying application logic needs to be tested. Websites need to be assessed with different classes of users, to ensure that appropriate partitioning and access controls exist. Content Management Systems (CMS) and administrative functions should be assessed and a series of broader controls should be reviewed and tested.
Application Testing Experience
Aatreya has tested a vast range of applications, from internal applications to external applications delivered over the internet and by mobile/cell phone.
Some of the applications Aatreya has tested include:
- Mail applications (Exchange, Domino, Groupwise, Bespoke)
- CRM applications
- Databases (Sybase, DB2, Oracle, Postgres, MySQL, Microsoft SQL)
- ERP applications (Peoplesoft, Oracle, SAP)
- Financials (Oracle, Sage)
- Operating systems (Windows, Linux, Solaris, AIX, OS400, Novell, Apple, Mainframe derivatives)
- IP Telephony (Cisco, Mitel, Alcatel, Nortel, BT, Avaya, SIP based services)
- Numerous custom applications in banking, insurance, retail and manufacturing sectors
- Web applications and web services
- Mobile telephony applications
Copyright (c) 2016 aatreya technologies. All rights reserved.