Definition
A web penetration test focuses on:
- Websites and
- web applications,
regardless of whether they are self- or externally hosted. Any type of website and web application can be tested, including extra-, intra- and internet accessible websites and web applications.
A pentester uses publicly available, commercial and self-developed frameworks and tools to thoroughly analyze the vulnerabilities and exploitation potential of the tested website or web application. It goes without saying that we follow the current and regularly updated standards for web security, such as the OWASP Top 10 (Open Web Application Security Project).
Requirements
To ensure that a penetration test can be carried out smoothly and successfully, some organizational and technical preparations must be made.
Scope
With the introduction of the hacker paragraph (§202c StGB), an “ethical hacker” is obliged to define the test scope with the client in advance.
Intensity
Penetration tests can be designed differently and more or less invasively depending on the situation. DriveByte offers three intensities for penetration tests defined by the BSI.
Location
The test location must be defined for individual test objects or for the project in general. In most cases it is possible to check all test objects via the Internet during penetration tests by using a “jump host”, so the physical presence of a pentester is not necessary.
Conditions
Various test conditions can be defined for all or individual test objects. The test conditions can be defined by the customer and bindingly recorded in the template.
Timeline
A regulated and pre-defined test period is a prerequisite for the efficient execution of a penetration test. Depending on the customer's wishes and the availability of the service provider, the customer sets a binding test period in the template.
Responsibilities
For a successful penetration test, the client and contractor must define who is responsible for the project to be carried out. A project manager and a technical contact person must be defined on the client's side.
Procedure
DriveByte recognizes the Penetration Testing Execution Standard PTES as a reference framework for the execution of penetration tests. The PTES consists of seven main sections:
startPre-Engagement
searchIntelligence Gathering
crisis_alertThreat Modelling
bug_reportVulnerability Analysis
dangerousExploitation
dynamic_feedPost-Exploitation
summarizeReporting
Documentation
The vulnerabilities found are grouped according to criticality and affected sub-test objects and documented in detail. DriveByte uses the widely used Common Vulnerability Scoring System CVSS 4.0 to assess the vulnerabilities found.
descriptionDescription of Scope
listList of Test Conditions
shortcutExecutive Summary
startProcedure Description
terminalVulnerability Listing
flagRecommended Countermeasures
Do you know how secure your web application is?
Identify security gaps in your web application and avoid costly consequences. Arrange a free consultation now.
Frequently asked questions
We will answer the most important questions in advance so that you are well informed.
What does a web penetration test cost?
What are black, white and grey box penetration tests?
How long does a web penetration test take?
Will a penetration test affect business operations?
What are the prerequisites for a penetration test?
How does the penetration test differ from the vulnerability analysis?
What happens if a security vulnerability is found?
Is a penetration test a one-off measure?
Is there a final report following the test?