Penetration Testing Methodology

LEAN SECURITY uses the comprehensive penetration testing methodology to assess the security of the web application and identify the security risks. The methodology is based on OWASP and NIST recommendation.

Discovery phase

LEAN SECURITY uses the combination of the automated and manual tools to discover the content of the web application and identify the threat landscape.  The tools used are Burp suite, Qualys web scanner, Google searches etc.

vulnerability identification

Various tools and the techniques are used to discover the vulnerabilities within the target web application. The servers were scanned using Acunetix. Acunetix is a highly regarded web application scanner which will iterate through each page in the application and identify common classes of security vulnerabilities. The types of vulnerabilities that are often picked up by Acunetix include:

·       Cross Site Scripting

·       SQL Injection

·       XPATH Injection

·       Header Injection

·       File Inclusion Vulnerabilities

·       Directory Traversal vulnerabilities

Another web application scanner which was also used during testing was Burp Suite. Burp Suite was used in a more targeted way to assist in the manual testing of the application.

All vulnerabilities that were identified with automated testing were verified to ensure their veracity. Vulnerabilities that were marked as false positives have not been included in this report.

Manual Penetration Testing

Each application was then manually audited by an experienced penetration tester with the assistance of penetration testing tools such as the Burp Suite. The audit attempted to identify not just common classes of security vulnerabilities, but also vulnerabilities specific to the application itself.