Web Application Security Assessment
Web Security Assessment
PKF Algosmic performs an in-depth security assessment of your web application, which includes automated and manual testing techniques . Automated testing techniques include running web application scanners and other tools. Manual testing techniques include PKF Algosmic experts to simulate active web-based exploitation techniques by assuming different roles and levels of authentication for a thorough assessment of the web application.
​
PKF Algosmic identifies vulnerabilities, analyses those vulnerabilities, and ranks those vulnerabilities based on the client’s business risk, and performs exploitation attacks only with the goal of validating those vulnerabilities and providing a proof-of-concept for the vulnerabilities. Our web application security assessment services systematically evaluate any vulnerabilities and misconfigurations that are found within your web application.
​
PKF Algosmic developed a customised assessment plan for each of our clients. Our goal is to identify any security concerns in internal-and external-facing applications that could be exploited to gain access to sensitive data or business operations before bad actors can.
OWASP Top Web Application Security Risks Tested by PKF Algosmic
Below are some of the most common attacks that are performed against web applications, which PKF Algosmic strives to protect you against:
​
-
Broken Access Control - A web application imposes limitations on what an authenticated users are allowed to do and viewed. However these are not imposed strictly which leads to Broken Access Control Attack. Attackers can leverage this vulnerability to access illegal functionality or information such as edit other users’ information, view sensitive files, access other users’ accounts, modify access rights etc. Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control.
​
-
Sensitive Data Exposure - Several misconfigured APIs and web applications do not protect sensitive information such as healthcare, financial, and PII from attackers. Attackers may alter or modify such poorly protected data to perform credit card fraud, identity theft, or other crimes.
​
-
Injection - Injection defects such as SQL, LDAP, OS, SQL, NoSQL injection occur when unreliable data is sent to an interpreter as a component of a query or a command. Such attacks could lead to compromise of sensitive data in database or compromise of the entire web server.
​
-
Cross-Site Scripting (XSS) - Generally XSS attacks occur whenever an application includes does not have appropriate escaping or validation or updates an existing web page with user-supplied information that can create JavaScript or HTML. XSS permits attackers to execute scripts in the victim’s browser that can ruin websites, hijack user sessions, or redirect users to malicious sites.
​
-
Security Misconfiguration - The most commonly seen issue is that of security misconfiguration. This is generally a result of adhoc or incomplete configurations, insecure default configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive data. 90% of applications were tested for some form of misconfiguration.
​
-
Identification and Authentication Failures Broken - Application utilities that are related to session management and authentication are generally executed erroneously, permitting attackers to compromise keys, passwords, or session tokens, or to exploit other execution defects to presume other users’ identities permanently or temporarily.