This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

  Web application penetration testing

Web applications often process and/or store sensitive information, including credit cards, personally identifiable information (PII) and proprietary data. Applications are a vital business function for many organisations, but with that functionality lies risk.


Mitigate the risk of web attacks with penetration testing

It has never been easier or less expensive to develop and deploy a great website. The easy availability of web applications and services makes it possible for individuals, small businesses and enterprises to assemble rich, full-featured platforms from components in a way that was unimaginable a decade ago. Unfortunately, the widespread use and availability of these tools makes them attractive to hackers who can compromise your site by seeking out and attacking vulnerable web application deployments.

The security of your web applications is of paramount importance to business continuity and integrity. Although traditional firewalls and other security controls are an important security layer, they can’t defend against or alert you to many of the attack vectors specific to web applications.

Penetration testing provides visibility of the risks associated with application vulnerabilities.

View our Web Application Penetration Test >>


Content management systems (CMSs) are targets for attack

Open-source CMSs are popular with website owners and developers, but that popularity has long made them a target for attackers. The sheer quantity of CMS-based sites makes them natural targets for spammers and cyber criminals who compromise legitimate websites to freely host their own malicious content. And since so many sites are based on the same code, finding just one vulnerability can mean compromising all of them, a practice that blackhat hackers apply to any type of platform. WordPress is the most widely used CMS on the Internet, but for years it has been successfully targeted by hackers. In February 2017, hackers defaced more than 1.5 million WordPress pages, and other vulnerabilities of the company’s CMS are frequently identified.


Why is testing web applications so important?

As with most security issues involving client/server communications, web application vulnerabilities generally stem from improper handling of client requests and/or a lack of input validation checking on the part of the developer.

The very nature of web applications – their ability to collate, process and disseminate information over the Internet – exposes them in two ways:

  • Firstly, they have total exposure by nature of being publicly accessible. This heightens the requirement for hardened code.
  • Secondly, they process data elements from within HTTP requests – a protocol that can use a myriad of encoding and encapsulation techniques.

A common objective of application penetration testing is understanding how the application deals with data entered by the user. This is known as input validation. If the application cannot filter out unexpected input from users, it can potentially be controlled by the hacker.

Other problem areas identified during a test include weak passwords and poorly implemented access controls. A trusted resource for understanding what can go wrong is provided by OWASP.

View the OWASP Top 10 Application Security Risks (2017) here.


What can you expect from a web application penetration test?

IT Governance’s testing portfolio covers a wide range of applications, including web and web service applications and mobile apps. Our CREST-certified testers will assess the key components of your web applications and supporting infrastructure, including how these components are deployed and how they communicate with users and server environments.

Our testing approach

Combining a series of manual assessments with automated scans, our team can assess the true extent of your system or network’s vulnerabilities.

IT Governance’s approach adopts the use of open source and commercial tools to conduct web application testing. All of our testing is in line with OWASP v4 (2014) – the standard for web application penetration testing.

What will my test cover?

  • A range of manual tests closely aligned with the OWASP methodology.
  • A series of automated vulnerability scans.
  • Immediate notification of any critical vulnerabilities to help you take action quickly.
  • A detailed report that identifies and explains the vulnerabilities (ranked in order of significance).
  • A list of recommended countermeasures to address any identified vulnerabilities.
  • An executive summary that explains what the risks mean in business terms.

Web application penetration testing