Web Application Security: Pentests against web applications

Request an individual offer now

Minimize risks & increase the security of your web application with penetration tests

If web applications are not sufficiently protected, they risk becoming the target of potential hacker attacks. These place not only sensitive customer data in danger, but also internal company networks.

With the help of customized penetration tests (pentests), we support you in securing your web application in the best possible way against cyberattacks and data theft. Our experts review established security measures, determine specific risks and identify vulnerabilities.
 

  Best possible protection of your web application against cyber attack

With penetration tests, we uncover vulnerabilities and potential security gaps in your web application before others do.
 

  Detailed analysis of your application, also at network level

Using port and vulnerability scans, we also check the security of the underlying backend system (web server) of the web application.
 

  Significant report including recommendations for action

All results are provided to you in form of a detailed report, which also contains appropriate recommendations for action to eliminate vulnerabilities.
 

What is a web pentest?

A web pentest (web application penetration testing) is an IT security measure that is used to check the security of web applications.

The aim is to uncover existing security vulnerabilities and possible points of attack in the web application and in this way increase the security of the web application. The methods and means used are similar to those that real attackers would use.

You would like to learn more? Please feel free to contact us!

Penetration tests for secure web applications: Your benefits at a glance

Benefits Pentest Web Application: One step ahead of attackers Benefits Pentest Web Application: One step ahead of attackers Benefits Pentest Web Application: One step ahead of attackers Benefits Pentest Web Application: One step ahead of attackers

One step ahead of attackers
Pentests identify security gaps and vulnerabilities before criminals can exploit them for their own purposes.

 

Benefits Pentest Web Application: Increase IT security, reduce risks Benefits Pentest Web Application: Increase IT security, reduce risks Benefits Pentest Web Application: Increase IT security, reduce risks Benefits Pentest Web Application: Increase IT security, reduce risks

Increase IT security, reduce risks
Pentests help you to improve the security of your web application & reduce attack risks.

 

Benefits Pentest Web Application: Pentests based on recognized standards Benefits Pentest Web Application: Pentests based on recognized standards Benefits Pentest Web Application: Pentests based on recognized standards Benefits Pentest Web Application: Pentests based on recognized standards

Pentests based on recognized standards  
Our experts check the security of your web application according to recognized standards and guidelines. 

 

Benefits Pentest Web Application: Trust among customers & business partners Benefits Pentest Web Application: Trust among customers & business partners Benefits Pentest Web Application: Trust among customers & business partners Benefits Pentest Web Application: Trust among customers & business partners

Trust among customers & business partners
An independent security analysis of your web application strengthens the trust of your customers & business partners.

 

Benefits Pentest Web Application: Security at all web application levels Benefits Pentest Web Application: Security at all web application levels Benefits Pentest Web Application: Security at all web application levels Benefits Pentest Web Application: Security at all web application levels

Security at all web application levels
In addition to the frontend, our experts also check the security of the backend system (web server).

 

Benefits Pentest Web Application: Concentrate on your day-to-day business Benefits Pentest Web Application: Concentrate on your day-to-day business Benefits Pentest Web Application: Concentrate on your day-to-day business Benefits Pentest Web Application: Concentrate on your day-to-day business

Concentrate on your day-to-day business
Focus on your business while our experts examine your application.

 

Benefits Pentest Web Application: Continuous improvement Benefits Pentest Web Application: Continuous improvement Benefits Pentest Web Application: Continuous improvement Benefits Pentest Web Application: Continuous improvement

Continuous improvement  
Penetration tests help you uncover potential for improvement in your web application. 

Benefits Pentest Web Application: Protection against financial & reputational damage Benefits Pentest Web Application: Protection against financial & reputational damage Benefits Pentest Web Application: Protection against financial & reputational damage Benefits Pentest Web Application: Protection against financial & reputational damage

Protection against financial & reputational damage
Prevention instead of rehabilitation: Pentests help you to prevent attacks - and the associated damage. 

Our services: 3 types of pentests against web applications

  

  

Spot Check 
– Level 1

Sample-based assessment of the security level of your application with regard to vulnerabilities.



Random sample / First assessment

  

Regular Pentest
– Level 2

Analysis to assess security, identify the most common risks and vulnerabilities for web applications.


For most applications

  

Advanced Pentest
– Level 3

A more in-depth analysis that – in addition to Level 2 – also identifies hard-to-exploit risks and vulnerabilities, especially through additional test scenarios.

High security level

  

Procedure of a pentest against a web application

  

Procedure pentest against web application: Preparation & kickoff Procedure pentest against web application: Preparation & kickoff Procedure pentest against web application: Preparation & kickoff Procedure pentest against web application: Preparation & kickoff

1.

Preparation & Kickoff

Clarification of specific technical & organizational aspects, as well as the preconditions. 

Procedure pentest against web application: Information Gathering & Analysis Procedure pentest against web application: Information Gathering & Analysis Procedure pentest against web application: Information Gathering & Analysis Procedure pentest against web application: Information Gathering & Analysis

2.

Information Gathering & Analysis

Determination of fundamental information about the subject of the analysis.

Procedure pentest against web application: Performance of Penetration Tests Procedure pentest against web application: Performance of Penetration Tests Procedure pentest against web application: Performance of Penetration Tests Procedure pentest against web application: Performance of Penetration Tests

3.

Performance of Penetration Tests

Analysis of the selected web application on the basis of the collected information.

Procedure pentest against web application: Final Report Procedure pentest against web application: Final Report Procedure pentest against web application: Final Report Procedure pentest against web application: Final Report

4.

Final Report

Summary of all results of the analysis in the form of a Final Report. 

Procedure pentest against web application: Optional: Re-Test Procedure pentest against web application: Optional: Re-Test Procedure pentest against web application: Optional: Re-Test Procedure pentest against web application: Optional: Re-Test

Optional: Re-Test

Check whether the implemented improvement & defense measures are working (effectively). 

  

This is being examined

Access Control (Authorization) / U Separation: If access rights for authenticated users are not correctly implemented, attackers may be able to access functions or data of other users. 
 

Input & Output Validation: If user input data are not sufficiently validated, injection vulnerabilities (e.g., cross-site scripting (XSS), XML external entities (XXE), SQL injection,) can – among other things – result in data loss, data corruption or a system takeover (remote code execution). An attempt is made by means of targeted injection attacks to "smuggle" malicious code into the application.
 

Security-related Misconfiguration / Hardening: Through the use of components with known vulnerabilities, standard accounts, unused (example, test) pages or misconfigurations, etc., it may be possible to gain unauthorized access to sensitive information or the underlying system (web server).
 

Disclosure of Security-related Information (Information Gathering/Disclosure): Web pages and responses from web applications and web services may contain security-relevant information (e.g. version details) with the help of which attackers can circumvent security mechanisms and exploit vulnerabilities.
 

Analyses at the Network Level: The penetration test includes a network-level analysis of the web application’s web server (one IP address). Port scans, a check of the SSL/TLS configuration and vulnerability scans are carried out.

Authentication / Session Management: Authentication and session management errors may allow attackers to take over the identity of other users, e.g. by means of brute force attacks, weak session IDs or the use of insecure passwords.
 

Data Security: It must be ensured that the web application is configured in such a way that forms of access are only possible via the intended, secured/encrypted communication paths. Access to resources and functions that are not required must therefore be restricted (e.g. by means of cookie flags, HTTP security headers).
 

Business/Application Logic: In the case of multi-stage mapped business processes, it must be ensured that the implemented application logic cannot be misused (e.g., breakout from a designated registration process).
 

Cryptography / SSL and TLS: Information which is exchanged between the client of the user and the server must be sufficiently encrypted and protected. If there are vulnerabilities in the SSL/TLS configuration, for example, the probability increases that potential attackers can also read transmitted data (confidentiality), manipulate data (integrity) and impersonate a legitimate trusted party or service without authorization (authenticity) – and in this manner successfully carry out man-in-the-middle attacks, for example.
 

(Optional) Data Protection: Besides technical analyses, the Terms of Use (T&Cs) of a web application can also be reviewed with regard to data protection aspects.

Frequently asked questions (FAQ):

Which test methods do we offer?
  • Black box
    Pentest without additional information
     
  • Gray box (standard)
    Pentest with additional information, e.g. test access data and (API) documentation
     
  • White box
    Pentest with further additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data
On what standards does TÜVIT align itself when conducting penetration tests?

The TÜVIT experts’ approach is aligned on the OWASP Application Security Verification Standard (ASVS), which describes fundamental security requirements for web applications, as well as the OWASP Web Security Testing Guide (WSTG), which shows how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications as well as the Implementation Concept for Penetration Tests of the BSI are taken into account.

How long does a test take?

The test duration depends on the selected type of analysis (Level 1 to 3) – see above. Notwithstanding the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) or at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) Pentest.

What does a pentest cost?

The costs depend on the type of check selected (levels 1 to 3) as well as the complexity of the subject of the check. A Spot Check is in the lower to mid four-digit range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an exact price indication we need more information about your web application. 


Request an individual offer

Why we are a strong partner for you

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision and penetration tests.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

 

You have questions? We are pleased to help!

  

Alexander Padberg

Sales Manager

+49 201 8999-614
a.padberg@tuvit.de

Gerald Krebs

Global Account Manager

+49 201 8999-411
g.krebs@tuvit.de

Further services

Penetration Tests

As an IT security service provider for penetrationtesting we help to identify organizational and technical security vulnerabilities.
Read more
System and Network Security

System and Network Security

The commonest targets of hacker attacks are the IT systems and data networks of companies. In order to detect attacks as early as possible, TÜVIT offers penetration tests on system and network levels.
Read more
Web Application Security

Web Application Security

In order to enable you to secure the applications that drive your business, TÜVIT offers penetration tests for web applications tailored to your needs.
Read more
Advanced Persistent Threats

Advanced Persistent Threats

Advanced Persistent Threats (APTs) are highly developed and targeted attacks that operate covertly in order to leave no visible traces. TÜVIT offers various modules to prevent Advanced Persistent Threats.
Read more
Enhanced Security Services

Enhanced Security Services

TÜVIT offers Enhanced Security Services, to keep your IT security level high at all times: from monitoring and retesting up to Red-Teaming.
Read more

Mobile Security

TÜVIT mobile-specific testing approach offers optimal protection for your mobile data. From the analysis of mobile strategy and evaluation of IT infrastructure including mobile device management systems, through to application testing.
Read more
Industrial Security

Industrial Security

In the context of the Internet of Things (IoT), the networking of systems for process control, production and automation is increasing dramatically. As a result, challenges are also increasing in relation to security. TÜVIT offers security checks and penetration tests in order to reduce security vulnerabilities in your production infrastructure.
Read more
SQ Best Practice Certification Procedure

SQ Best Practice Certification Procedure

With its Security Qualification (SQ), TÜVIT offers a standardized and flexible certification procedure that allows the integrated analysis of products and networked system solutions.
Read more

CyberSecurity Certified (CSC)

Are you a manufacturer of a CIoT product and want the security of your (smart home) device confirmed by an independent third party? Then we will be happy to accompany you on your way to a successful CSC certificate.
Read more

Accelerated Security Certification (BSZ)

The BSZ is an independent certificate that confirms the security statement of your IT product – quickly, predictably and with a minimum amount of documentation.
Read more