Description

Web Application Penetration Testing (WAPT)

Security Assessment

• Full Customization of Testing
• Web Application Penetration Testing:
• SANS Top 25 Full Coverage
• OWASP Top 10 Full Coverage
• PCI DSS 6.5.1-6.5.11 Full Coverage
• AI to Augment Human Testing and Analysis
• Machine Learning to Accelerate Testing
• Authenticated Testing (2FA / SSO)
• REST/SOAP API Testing

Reporting

• Threat-Aware Risk Scoring
• Tailored Remediation Guidelines
• Web Interface, PDF and XML Formats
• PCI DSS and GDPR Compliances
• CVE, CWE and CVSSv3 Scores
• Zero False-Positive SLA

Security Reporting Standards

• Common Vulnerabilities and Exposures (CVE) Compatible
• Common Weakness Enumeration (CWE) Compatible
• Common Vulnerability

Remediation

Patch Verification Testing once

Covered Vulnerabilities

OWASP Top 10

• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery

SANS Top 25

Full Coverage of SANS Top 25 for all packages

• CWE-22: Path Traversal
• CWE-89: SQL Injection
• CWE-78: Command injection
• CWE-89: Blind SQL Injection
• CWE-79: Stored XSS
• CWE-90: LDAP Injection
• CWE-79: Reflected XSS
• CWE-91: XML Injection
• CWE-79: DOM-Based XSS
• CWE-93: CRLF Injection
• CWE-94: Code Injection
• CWE-113: HTTP Response splitting
• CWE-94: AJAX Injection
• CWE-200: Information Exposure
• CWE-94: JSON Injection
• CWE-255: Credentials Management
• CWE-97: SSI injection
• CWE-284: Improper Access Control
• CWE-98: Remote/Local PHP File Inclusion
• CWE-287: Authentication Bypass
• CWE-345: Insufficient Verification of Data Authenticity
• CWE-352: Cross-site request forgery (CSRF)
• CWE-384: Session Fixation
• CWE-400: Resource Exhaustion
• CWE-434: Arbitrary File Upload

PCI DSS

PCI-DSS

• Improper Access Control
• Insecure Communications
• Cross-Site Request Forgery (CSRF)
• Improper Error Handling
• Broken Authentication and Session Management
• Injection Flaws
• Several other “High” Risk Vulnerabilities
• Buffer Overflows
• Cross-Site Scripting (XSS)
• Insecure Cryptographic Storage

Security Assessment Methodologies

WAPT Assessment Methodologies

• OWASP Testing Guide (OTGv4)
• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
• PCI DSS Information Supplement: Penetration Testing Guidance
• FedRAMP Penetration Test Guidance
• ISACA’s How to Audit GDPR