Gain Visibility Over Your Application’s Threats

Cybra offers a full suite of web application penetration testing services in Australia.

What is a web application penetration test?

A web application penetration test is the ethical hacking of an organisation’s web-based applications, such as corporate websites and customer portals and more. If it can be accessed by a browser or API it can be tested.

The test emulates an internet-based attacker or internal malicious user and utilises current attack techniques and methods.

Web application penetration test pricing

Web application penetration tests are scoped based on the size and complexity of the application, how many user roles are supported, and how many functions and APIs are in use.

Cybra walks through these details with you during scoping. The scope can be refined based on the customer’s requirements and budget.

Dangers of web application penetration tests

All penetration testing has a chance of adversely affecting systems, but this is very rare. All systems and networks should have adequate bandwidth and system resources before commencing.

Benefits of web application penetration tests

The assessment identifies security flaws and vulnerabilities in web applications so that the customer can fix them before a malicious actor takes advantage of them.

What applications can be tested?

Any application that can be accessed by a web browser or API can be penetration tested, including but not limited to corporate websites, customer portals, CRMs and more.

Out of scope

Unless required by the customer, Denial of Service (DoS) is strictly out of scope for external penetration testing.

Approach

Web application testing is conducted by experienced security consultants using specialised software and tools remotely over the internet or onsite, simulating a malicious attacker who is attempting to compromise the application, its users and its data.

Types of web attacks

Web application pentests cover a range of cyber attacks, such as:

  1. Authentication attacks (brute force, password spraying)
  2. Authorisation bypasses
  3. Account takeovers
  4. Information disclosures
  5. Injection vulnerabilities (XSS, SQLi, SSRF etc.)
  6. Configuration weaknesses
  7. Cryptography weaknesses
  8. Vulnerability exploitation
  9. Business logic attacks


Authenticated testing

Web application testing can be conducted as an unauthenticated or authenticated users.

For the best coverage and better results from the penetration test, it is recommended to test every type of user account or role the application supports.

Tools

Various open-source and commercial software and scripts are deployed during a web application penetration test.

Some examples are web proxy tools, vulnerability scanners, port scanners, brute force tools, exploitation frameworks, and protocol analyzers.

Firewalls/WAFs

While firewalls and WAFs are effective and mitigating some risks of exposing systems to the internet, they can sometimes interfere with penetration testing results. For the best outcome, Cybra will request that we are added to the allow-list of any such devices.

Detection / Monitoring

While not required, it is recommended to have some level of system and security monitoring in place during a penetration test as this allows the customer to observe how their systems react to a simulated hack, providing valuable insights for the security team.

What is a pentest report?

After a penetration test, the observations, findings, results and recommendations are presented in a professional report hand-written by our experienced consultants.

Who is the report for?

The penetration test report is formulated in a way that it can be read by executives/board, managers and technical staff.

Compliance objectives

Penetration test reports can be used as supporting evidence for relevant compliance frameworks.

What’s in the report?

The penetration test report includes an executive summary, technical summary, technical findings, vulnerability details and recommendations on how to remediate all identified issues.

What format is the report in?

The penetration test report is securely delivered to you in PDF format.

The report is professionally laid out so its easy for customer to navigate through the report.

Retest reports

Cybra offers an optional service to retest any vulnerabilities identified after you have a chance to fix the issues. This is known as a retest and an updated report is provided to you showing all remediated and non-remediated issues.

More Penetration Testing Resources

Penetration Testing Australia
Learn the obvious and not so obvious benefits of modern Penetration Testing.
Penetration Test Australia | Sydney | Melbourne | Brisbane
A Complete Penetration Testing Guide for Businesses in Australia.

Book a free Cyber Security consultation today