Application Penetration Testing

Whether your organisation develops web, mobile, or desktop applications in-house or works with third-parties, time constraints and a lack of awareness of secure software development practices, often results in an application with the potential to put your organisations information and systems at risk of compromise.

Centurion provides a thorough security assessment using its own application testing methodology, based on Centurions independent security research, prior experience from testing thousands of applications, and industry best practices including:

  • The Open Web Application Security Project (OWASP) Testing Guide
  • Open Source Security Testing Methodology Manual (OSSTMM)
  • The Web Application Hacker’s Handbook
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • CERT Secure Coding Standards

We combine our expert knowledge and ability to take into account the business impact to produce reports that are relevant, reproducible through complete technical details, and provide assurance that the application adheres to security best practices.

All types of applications can be susceptible to security weaknesses ranging from weak password policies to vulnerabilities that allow attackers to gain full control of the applications supporting system. Centurion offers application penetration testing services for a wide range of applications including:

  • Web applications and web services
  • Mobile applications for iOS (iPhone/iPad) and Android
  • Java clients and applets
  • Windows desktop and Unix/Linux applications

Centurion provides application penetration testing services targeted at any type of application including web applications, web services, mobile applications, Java clients, and traditional desktop applications.

Centurions skilled security consultants apply a manual approach to the identification and exploitation of the applications security vulnerabilities. We explore and analyse application functionality to identify and exploit security vulnerabilities. Automated tools are used where appropriate to reduce the amount of time required to discover easily identified vulnerabilities.

Centurion exposes business risk by going far beyond demonstrating the ability to popup message boxes through JavaScript alert functions in order to highlight Cross Site Scripting (XSS) vulnerabilities. We apply our application penetration testing experience to bypass custom developed input filters and demonstrate the risk of not implementing a whitelist for proper input validation. Our approach validates the impact of the vulnerability to the organisation with a range of attack scenarios, from a simple reflected defacement to damage the organisations reputation, to demonstrated attacks against other users of the web application through the exploitation of client side vulnerabilities.

Injection vulnerabilities are dissected, analysed, and pushed to their limits by exploiting weak permissions in application databases and filesystems, to create web shells capable of providing command execution and remote control of the target system hosting the application. Once we have gained access to a system within your organisations network, we then perform a network reconnaissance to discover other accessible systems that could be used to transition past the DMZ and further into the core network. This provides a real world attack scenario to ensure that Internet facing applications and systems are properly segregated and capable of containing a successful compromise.

How We Can Help

Once we have identified vulnerabilities within the target application we work closely with developers to ensure the effective implementation of security controls to address the identified vulnerabilities. We recommended appropriate working solutions catered for your organisations unique requirements and not just another band aid solution to prevent known malicious input.