Web Application and Web-API Penetration Testing

Complex web applications and APIs often offer a variety of possible attack vectors and are therefore a popular target for attackers. To raise awareness of the security of web applications, the Open Web Application Security Project (OWASP) maintains a list of the 10 most common vulnerabilities in web applications. The current version of the OWASP Top 10 of 2021 provides an insight into the dangers to which web applications are usually exposed:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forging

In order to identify and eliminate such vulnerabilities or zero-day vulnerabilities, we offer web application penetration tests (offensive security) carried out by our ISO 27001 & IEC 62443 certified consultants and lead auditors as well as OSCP and OSWE certified pentesters. To ensure that all aspects of the application to be tested are checked, our approach is based on the OWASP Web Security Testing Guide (WSTG), which contains a large number of test modules for verifying the OWASP Application Security Verification Standard (ASVS). In addition, we always check the underlying IT infrastructure for open ports, other vulnerable services and TLS configuration.

OWASP Application Security Verification Standard (ASVS)

During a web application penetration test, we check your application for compliance with 283 security controls defined in the OWASP ASVS. Depending on the protection requirements of your application, we test at level 1 (basic), level 2 (increased protection requirements) or level 3 (maximum protection requirements).