Web Application Security

Each VerSprite web security assessment reviews the overall application and interfaces, which include the following:

• Target Evaluation – VerSprite’s BlackOps pen testers evaluate and analyze the application for known and unknown security vulnerabilities from the perspective of an anonymous user and a credentialed user.
• Review & Execute on Application Threat Model – VerSprite conducts a detailed analysis for technologies, functionality, and data entry points to identify areas in the API that could be potentially flawed and pose a higher level of impact. Our AppSec reviews the overall application architecture and evaluates data flows and trust boundaries for the APIs in scope.
• Threat Based Testing – For each such use case, such as anonymous and credentialed users, VerSprite applies a threat model to substantiate the most probable attack patterns and scenarios that the API and associated methods will face.
• Attacking Application Logic – VerSprite consultants enumerate and locate (e.g., input control through JavaScript) client-side controls to subvert any API logic, as well as identify and attempt to abuse any multistage processes, trust boundaries, and transaction logic.
• Attacking Access Handling for Anonymous Use Case– VerSprite consultants attempt to gain access through identifying weaknesses in an API’s endpoint authentication logic, including, but not limited to, brute-force techniques, password reset functionality and remember me functionality abuse, or complete authentication bypass using techniques such as SQL injection payload.
• Attacking Access Handling for Credentialed Use Case – Our pen testers use the credential user to evaluate and analyze what use cases could be abused during both anonymous and authenticated sessions, attack and test the API session handling mechanisms, attempt horizontal and vertical privilege escalation, and test the API’s authorization model and implementation. Our goal is to reach administrative functions that may be supported outside of the application.
• Attacking Input Handling – VerSprite uses a variety of manual, and commercial tools to test input related weaknesses in the application. Applications will be fuzzed for vulnerabilities such as cross-site scripting, SQL Injection, and Path Traversal.
• Attacking Web Services – VerSprite performs penetration testing that reflects realistic abuse cases based upon the industry, application type, architecture, and data model of the application.