Web applications are nowadays an integrated part of every organization and they represent a high value target for adversaries. The Web Application Pentest is based on the latest OWASP Top Ten framework which guarantees that your application is tested against a wide range of vulnerabilities. This ensures that the highest risk vulnerabilities are discovered and mitigated before attackers can exploit them.
Testing Approach
- Broken Access Control
- Cryptographic Failures
- Injection Attacks
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
Business Case
Tripla Consult evaluated Braavos’ eBank application (a fictional client) through the web app pen testing.
It was found that the Braavos’ eBank application is lacking input validation on critical functions. Malicious actors can abuse these vulnerabilities to read plain text passwords, credit card numbers and source code. The findings have high impact on confidentiality, integrity and availability (CIA) which could directly affect Braavos’ brand and its customers.
Additionally, the verbose error messages and test default credentials suggest improper separation between the development and production environments.
Blog articles
- Trying to bypass authentication in Portainer 1.24 Web UI
- Multiple vulnerabilities in nodejs ecstatic/http-server (http-party)
- SonarQube projects source code scrapper
- homebridge-config-ui-x: default creds, authenticated cmd exec and LFI
About me
My name is Andrei Agape, I’m an offensive security researcher and freelancer with several years of experience working for companies in Europe, Asia and USA.
Several of my qualifications and achievements include:
- Offensive Security Certified Professional (OSCP)
- Certified Red Team Professional (CRTP)
- Certified Red Team Azure Professional (CRTAP)
- Researcher and member of Synack Red Team
- Azure Cloud Contributor at hackingthe.cloud
- Mentor and trainer on Mentorcruise
- Guest lecturer for the Board of European Students of Technology (BEST)