Application Testing

Experience & Approach

With over ProCheckUp's 23 years at the forefront of web application auditing, we've witnessed the evolution of web application functionality and complexity, as well as the diverse platforms that have emerged. To keep pace with these challenges, our services have expanded to cover everything from standard web browser applications to mobile and thick client applications, all the way to web service APIs.

Our auditing process stands out because of our manual approach, enriched with cutting-edge tools. We firmly stand by the belief that tools alone are not enough—many nuances can be overlooked. Hence, our highly-qualified penetration testing experts lead the charge.

It's not just about ticking off vulnerabilities from a list. We emphasize the importance of truly understanding each application before jumping into testing for standard vulnerabilities like the OWASP top 10,This initial phase is crucial. Our experts formulate a tailored attack plan, pinpointing areas that require keen focus. Through this, we ensure maximum coverage and zoom in on potential hotspots most likely to be targeted by attackers.

In addition, we pride ourselves on our collaborative approach. We engage with our clients throughout the scoping process, ensuring their specific concerns are addressed.

Web Application Testing

Whether we're working remotely or directly at the client's site, our web application tests are bespoke, tailored to the unique technologies and functions of each application. But while each assessment is distinct, at their core, our evaluations encompass:

  • Reconnaissance and Application Content Discovery
  • Authentication, Session Management, and Data Protection
  • Authorization and Input Validation Techniques
  • Information Leakage Monitoring
  • Checking for Known Software Vulnerabilities
  • Infrastructure Configuration Analysis

At the end of every engagement the client is provisioned a final deliverable of a full technical report which will include full details of all potential vulnerabilities identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-impact security issues identified.

Mobile application testing

Mobile applications bring a new set of challenges due to their distinct architecture and user environment. Our goal for this service is to scrutinize these applications for potential security lapses, configuration pitfalls, and deviations from security best practices.

Differentiating from Web application testing, mobile assessments primarily center on the application's inherent processing and functionalities. For every engagement, our consultants examine:

  • Local Data Management
  • Techniques against Reverse Engineering
  • Session Maintenance Protocols
  • Data Transfer Security
  • Monitoring of Running Processes
  • App Filesystem Access Restrictions
  • Input Validation Measures
  • Surveillance of Known Vulnerabilities

At the end of every engagement the client is provisioned a final deliverable of a full technical report which will include full details of all potential vulnerabilities identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-impact security issues identified.

Thick client testing

Thick client applications demand an acute awareness of their internal mechanisms, given their reliance on localized processing and functions. Our service is designed to uncover vulnerabilities, configuration oversights, and best practice misalignments specific to these compiled applications.

Parallel to our approach with mobile apps but with nuances for thick clients, we delve into:

  • Local Data Protocols
  • Counteracting Reverse Engineering
  • Session Integrity
  • Ensuring Secure Data Transfers
  • Overseeing Running Operations
  • Application Filesystem Dynamics
  • Stringent Input Validation
  • Tracking Known Vulnerability Exploits

At the end of every engagement the client is provisioned a final deliverable of a full technical report which will include full details of all potential vulnerabilities identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-impact security issues identified.

Web service API testing.

API testing is intricate and requires a meticulous approach. With a capped limit on how many variables can be evaluated daily, it's paramount that we deeply understand the API interfaces in question.

To foster this understanding, we initiate with scoping queries, gauging the extent and complexity of the services. We also necessitate an API client or sample raw requests with their corresponding data schematics.

Our testing covers both external and internal web services. For internal services, we use dropboxes or NAT configurations, ensuring that only our IPs gain access.

Discovery Mapping 

Understanding your digital landscape is the first step in robust security. If you're uncertain about the types of web services your infrastructure exposes to the Internet, ProCheckUp can guide you. With our specialized web service identification process, we don't just detect services on prevalent ports; we go a step further to pinpoint the API endpoints and ascertain available methods

Enumeration 

Once your web services are brought to light, our task shifts to thorough enumeration. If needed, the services undergo crawling to map out all accessible content. This phase is crucial, as we track dynamic content, user inputs, and application variables, creating a foundation for subsequent phases.

Authenticated Testing 

Some application vulnerabilities are hidden behind authentication barriers. ProCheckUp ensures that our testing tools can bypass these barriers, granting access to content reserved for authenticated users. By doing this, we maintain the completeness of our evaluation, ensuring no stone remains upturned.

Testing Dynamics

With a clear map in hand and authentication barriers crossed, we initiate the penetration testing. Our focus encompasses common web service API vulnerabilities, prominently including the challenges listed in the OWASP Top 10.

Customizing our approach based on the specific tech and functions of your application, we consistently assess:

  • Potential Username Enumeration
  • SQL & XML Injection Vectors
  • 2nd/3rd Order CROSS SITE SCRIPTING (XSS) Attacks
  • Login Manipulation Attempts
  • Account Lockout Scenarios
  • Buffer Overflow Possibilities

False Positives 

Not all vulnerabilities detected during testing may pose a genuine threat. Post-testing, our consultants meticulously sift through the findings. Every potential issue undergoes a rigorous verification process, ensuring you're not bogged down by false alarms. If evidence backing a finding is deemed insufficient, or if an issue is anticipated to be a false positive, further investigations are triggered to confirm the anomaly.

Need Help?

If you have any questions about cyber security or would like a free consultation, don't hesitate to give us a call!

Our Services

Keep up to date!

Subscribe to our newsletter. Keep up to date with cyber security.


FOR MORE INFORMATION PLEASE CONTACT US

Smiling Person

ACCREDITATIONS