Penetration Testing Methodology
LEAN SECURITY uses the comprehensive penetration testing methodology to assess the security of the web application and identify the security risks. The methodology is based on OWASP and NIST recommendation.
Discovery phase
LEAN SECURITY uses the combination of the automated and manual tools to discover the content of the web application and identify the threat landscape. The tools used are Burp suite, Qualys web scanner, Google searches etc.
vulnerability identification
Various tools and the techniques are used to discover the vulnerabilities within the target web application. The servers were scanned using Acunetix. Acunetix is a highly regarded web application scanner which will iterate through each page in the application and identify common classes of security vulnerabilities. The types of vulnerabilities that are often picked up by Acunetix include:
· Cross Site Scripting
· SQL Injection
· XPATH Injection
· Header Injection
· File Inclusion Vulnerabilities
· Directory Traversal vulnerabilities
Another web application scanner which was also used during testing was Burp Suite. Burp Suite was used in a more targeted way to assist in the manual testing of the application.
All vulnerabilities that were identified with automated testing were verified to ensure their veracity. Vulnerabilities that were marked as false positives have not been included in this report.
Manual Penetration Testing
Each application was then manually audited by an experienced penetration tester with the assistance of penetration testing tools such as the Burp Suite. The audit attempted to identify not just common classes of security vulnerabilities, but also vulnerabilities specific to the application itself.