Web application security testing is about covering every possible aspect of a web application, detecting security issues and vulnerabilities and give advice on fixing.
Bithex WSC is a security assessment project designed to examine security aspects of web site components such as login pages, session handling and management, data validation, web server configuration, application server settings, code review, etc.
By far, the biggest part in Bithex WSC is penetration testing and fraudulence tests on the web app’s features and interface. Bithex WSC is useful for anyone who needs to perform security and risk assessment of their web applications and websites, wether required by internal or external sources, such as security standards or regulations.
How is Bithex WSC Pen Testing Executed?
Bithex WSC is about analyzing and examining all possible inputs of a website or web application. Common security threats to websites are tested as well as common methods of misuse, such as changing another user’s settings or data, or accessing restricted data and code in the web application.
More exactly, the method goes as following:
- We analyse your web application and design a test plan
- We execute penetration and fraudulence tests and analyse all issues
- You fix issues that must to stand up to security criteria
- We verify your fixes by retesting
Why pen test a web application?
Questions we try to address and answer with Bithex WSC are commonly “Can you penetrate the system, and how?”, “Can you access pages without proper authority or authentication?”, “Can a user see or change data he should not see?”, “Can a user with normal access do anything abnormal?”, “What are the chances of someone abusing my system?”, “What is the overall security posture?”.
What is included in Bithex WSC security assessments?
A typical Bithex WSC security assessment covers the following aspects:
- Total web site content crawling and analysis.
- Session management issues, session hijacking, guessing etc.
- Authentication system analysis and brute force login.
- Data validation testing and analysis.
- Client side parameter tampering.
- SQL Injection attacks/misuse.
- Remote command injection/execution.
- Exception handling and errors.
- Code review of data validation modules.
- Source code disclosure.
- Review and consulting on design principles.
- Web server, application server and database server configuration analysis.
- Detailed issue reporting and tracking.
- Bithex WSC test fulfill requirements PCI DSS 6.5 on application security.
Test cases for fraudulence and security requirements
Besides general security tests, we execute tests to search for security issues in regular features and functionality of the web application. Feature tests try out fraudulence operations within the system, such as access to data belonging to other users, transactions executed in the name of other users, changes to attributes of other users, etc.
Fraudulence tests together with general security testing are an important part in fully verifying that the application performs as expected. Bithex WSC pen testing does cover web application security requirements from security standards such as OWASP Testing Guide, PCI DSS and more.
Methodology and tools used in Bithex WSC
Bithex consultants use documented procedures in all security assessments. Bithex WSC security assessments depend on a mixture of manual and automated methods. A multitude of tools is used depending on the type and nature or the web application under test. To name ust some tools used, browser plugins, ZAP, netcat, Fiddler, Tamper Data, and more.
Price depends on size and nature of the web application in question. We do a quick content analysis of the application before providing a fixed price offer. Please contact us for more information and price quotes.