- Home
- Security Audit
- Web Application Assessments
WEB APPLICATION ASSESSMENTS
With the uptake of cloud computing and the advancements in browser technology, web applications and web services have become a core component of many business processes, and therefore a lucrative target for attackers. Over 70% of websites and web applications however, contain vulnerabilities that could lead to the theft of sensitive corporate data, credit cards, customer information and Personally Identifiable Information. Infinity forensics examines your web applications from a coding and implementation flaw perspective, and also looks at other issues like SQL injection and cross-site-scripting (XSS), involving active exploitation of vulnerabilities in order to gain access.
Scope and Methodology
- Host and service Vulnerability check.
- Assess on web applications for vulnerabilities that can lead to unauthorized access or data exposure
- Application configuration and network communication discovery.
- Manual & automatics testing of logins, credentials, sessions/cookies, and application behavior.
Infinity Forensics uses tools from Acunetix , Rapid 7 , HP Fortify for security assessments, as well as a standards based approach from Open Web Application Security Project Top 10 (OWASP Top 10) and SANS Top 25 Most Dangerous Programming Errors (CWE/SANS).
OWASP Top 10 (Open Web Application Security Project)
| |
Injection | |
Broken Authentication and Session Management (XSS) | |
Cross Site Scripting (XSS) | |
Insecure Direct Object References | |
Security Misconfiguration | |
Sensitive Data Exposure | |
Missing Function Level Access Control | |
Cross Site Request Forgery (CSRF) | |
Using Components with Known Vulnerabilities | |
Unvalidated Redirects and Forwards | |
SANS Top 25 Most Dangerous Programming Errors (CWE/SANS)
Insecure Interaction between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
CWE ID | Name |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | |
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | |
Unrestricted Upload of File with Dangerous Type | |
Cross-Site Request Forgery (CSRF) | |
URL Redirection to Untrusted Site (‘Open Redirect’) |
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
CWE ID | Name |
Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | |
Download of Code Without Integrity Check | |
Inclusion of Functionality from Untrusted Control Sphere | |
Use of Potentially Dangerous Function | |
Incorrect Calculation of Buffer Size | |
Uncontrolled Format String | |
Integer Overflow or Wraparound |
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
CWE ID | Name |
Missing Authentication for Critical Function | |
Missing Authorization | |
Use of Hard-coded Credentials | |
Missing Encryption of Sensitive Data | |
Reliance on Untrusted Inputs in a Security Decision | |
Execution with Unnecessary Privileges | |
Incorrect Authorization | |
Incorrect Permission Assignment for Critical Resource | |
Use of a Broken or Risky Cryptographic Algorithm | |
Improper Restriction of Excessive Authentication Attempts | |
Use of a One-Way Hash without a Salt |