Application penetration tests

Web applications are the most frequent source of sensitive data leaks.

Solution description

We perform penetration testing of APIs, web, mobile or desktop applications. We test according to the OWASP methodology, which includes more than 90 security areas and our best practices.

Applications are undoubtedly the foundation of business. When developing applications, the primary focus is on functionality, appearance and certainly price. Therefore, applications are recommended to be tested both before deployment to production and regularly during their use. Some security flaws stem from faulty application design.

Main test scenarios

  • Checking for data leaks.
  • Options for introducing malicious code.
  • Abuse / theft of user identity.
  • Unauthorized access to the system and data.
  • User account protection, password policy, account locking, registration process or existence of test accounts.
  • Options to bypass or break the functional logic of the application.
  • Static analysis of a binary application.

The most common findings

  • Injection - smuggling malicious code, stealing databases.
  • Insufficient security for user accounts.
  • Cross-Site Scripting (XSS) - obtaining login data.
  • Insufficient user rights verification for important actions.
  • Non-updated SW, exploitation of known vulnerabilities.
  • Transmission of sensitive data over an insecure channel, storage in open form.

Black box testing

  • The submitter provides only the URL of the web application.
  • The tester maps the environment using the same methods as a hacker without the organization's know-how.
  • More time consuming than white box testing.

White box testing

  • The client provides source codes, accounts with administrator rights and documentation.
  • This testing specializes in deeper application issues such as dangerous sub-vulnerability strings and application logic errors.

Mobile app testing (iOS & Android)

Mobile apps are a known weakness of information systems.

By penetration testing mobile apps, companies can gain insight into source code vulnerabilities, bottlenecks, and attack vectors on these apps.

We test both Android and iOS platforms.

Main test scenarios

  • Focus on the possibility of data leakage and misuse in the phone / tablet.
  • Checking the security of communication between applications and servers.
  • Attacks carried out from the public environment and the Internet.
  • Focus on Android and iOS platforms.
  • Methodology and recommendations according to OWASP.
  • Reverse Engineering - application code analysis.

The most common findings

  • Insufficient authorization against API.
  • Weak security against MITM (Man In The Middle) attacks.
  • Access data stored in the application code.
  • Insufficient security of sensitive data stored on mobile devices.

Evaluation of penetration tests

Each penetration test is followed by a phase of documenting the entire test process, describing any vulnerabilities found and rating their severity according to the CVSS classification. 

This is the technical part of the report, which is intended for security managers, engineers and application developers, where for each vulnerability a recommendation is also given on how to prevent or solve the problem.

At the end of the report, you will find a management summary that explains in an understandable way to the company’s management the vulnerabilities and security gaps found, their severity and ways to fix any problems.

On request, we can send you a sample of the resulting report. 

Interested?

We can send you a sample of our work – a test report.

Consultation -> non-binding offer.

We will be happy to talk to you online or in person at our offices in Prague, Brno or Bratislava.

U Sluncové 666/12a
186 00, Praha 8
Czech Republic

IČO: 24216941 / DIČ: CZ24216941

info@integra.cz

+420 214 214 602

copyright © 2018 – 2021
Integra Czech Republic, s.r.o.
All rights reserved
Ethics and Anti-Corruption Policy