The purpose of a Web Application Security Test is to assess a web services’ susceptibility to exploitation by a malicious user. This type of penetration test may be undertaken either as a ‘black-box’ method or a ‘white-box’ method.
A white-box method provides the penetration testing consultant with application specific information such as logon account details, system and network information, etc, where information pertaining to the web application and associated systems is supplied to assist the testing methods. The ‘black-box’ method applies an approach of no prior knowledge of the web application. This testing approach is similar to the methods a malicious external user may use.
The Web Application Security Test employs software and application testing techniques to identify security vulnerabilities in client/server applications. The client/server applications are generally proprietarily developed by system owners serving dedicated business purposes and applications with any programming language and technology.
Like network penetration testing, web application testing follows a defined methodology in order to identify vulnerabilities in the delivery of the web enabled service. This testing aims to identify vulnerabilities through inadequate coding practices and, data input and handling techniques which may provide a means for a malicious user to gain access to unauthorised information.
Denver Technology’s Web Application Security Test methodology is derived from a combination of information security guidelines and recognised penetration testing methodology standards from sources such as OSSTMM and OWASP.