Website Application Security Audits

Find vulnerabilities affecting web applications: SQL Injection, XSS, OS Command Injection, Directory Traversal and many more.

Accelerate your web application penetration testing

We combine advanced technical skills and tools with well-known methodologies such as the OWASP Testing Guide and the Penetration Testing Execution Standard to provide you with a clear view of your site's current situation and actionable recommendations for improving security.

Comprehensive security assessment for your website, SaaS, or e-commerce application

Don’t waste your time installing, configuring and running complex security tools. We have them all set up for you, just tell us what is your target URL and we will do the rest.

You will receive a friendly report containing detailed vulnerability information, including risk description, evidence and recommendations for improvement.

We first crawl the target application then send various inputs into the parameters of the pages looking for specific web vulnerabilities such as SQL Injection, Cross-Site Scripting, Local File Inclusion, OS Command Injection and many more.

Furthermore, we look for sensitive files from the server like backup files, old files, admin interfaces, archive files, etc.

Authenticated Audit

We are also able to conduct assessments as an authenticated user in two convenient ways: User/Password Authentication and Cookie Authentication.

Our audit sends up to 10,000 HTTP requests to the target for a comprehensive security assessment.

Tests Performed

  • Fingerprint web server software
  • Analyze HTTP headers for security misconfiguration
  • Check the security of HTTP cookies
  • Check the SSL certificate of the server
  • Check if the server software is affected by known vulnerabilities
  • Analyze robots.txt for interesting URLs
  • Check client accesses and wildcard entries
  • Discover server configuration problems
  • Deep-Crawl website
  • Check for SQL Injection
  • Check for Cross-Site Scripting
  • Check for Local File Inclusion and Remote File Inclusion
  • Check for OS Command Injection
  • Check for outdated JavaScript libraries
  • Find administrative pages
  • Check for sensitive files (archives, backups, certificates, key stores, etc)
  • Find interesting files/functionality
  • Check for information disclosure issues

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The Report includes:

  • Overall risk level
  • Summary of findings
  • Risk ratings
  • Detailed explanation for each finding
  • CVSS number and Link to CVE classification (ex: https://nvd.nist.gov/vuln/detail/CVE-2017-7679)
  • Recommendations for each finding
  • Vulnerabilities are ordered by risk level

WordPress Vulnerability Audit

Since WordPress is a widely used platform, it often becomes a target for hackers.

Their attacks are facilitated by the high number of outdated WordPress installations and outdated plugins and themes. These old versions of WordPress components contain vulnerabilities and security weaknesses that can be exploited.

We conduct black-box vulnerability audits which performs multiple tests to identify security weaknesses in the target WordPress websites. We perform the assessment remotely, without authentication and it simulates an external attacker who tries to penetrate the target website.

Tests Performed

  • Fingerprint the installed WordPress version
  • Show the vulnerabilities for the running Wordpress version
  • Enumerate the installed plugins and their versions
  • Show the vulnerabilities for the identified plugins
  • Enumerate the installed themes and their versions
  • Show the vulnerabilities for the identified themes
  • Enumerate the WordPress users

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • All discovered plugins, themes and their versions
  • Shows vulnerabilities and exploits which affect each component
  • Shows WordPress configuration issues (directory listing, backup files, etc)
  • Contains WordPress fingerprinting information
wordpress-scan-sample-report

Drupal Vulnerability Audit

This is a custom audit which implements all the security checks performed by known Drupal scanners such as CMSMap or Droopescan but also adds new security tests on top.

Our security audit performs a series of passive and active checks to identify the Drupal version, modules, themes and the current system configuration.

We check if your own installation of Drupal is updated and properly configured. We basically see how your Drupal installation looks from the perspective of an external attacker.

Furthermore, the Drupal core vulnerabilities are extracted from a local database which is periodically updated with the latest vulnerabilities which affect Drupal. The vulnerabilities are reported according to the identified Drupal version.

Tests Performed

  • Fingerprint the server software and technology
  • Fingerprint the Drupal installation
  • Find installed Drupal modules
  • Find the current Drupal theme
  • Search for vulnerabilities affecting the current Drupal version
  • Check for directory listing
  • Search for default install files
  • Verify the communication security (HTTPS settings)
  • Attempt user enumeration using Views module
  • Attempt user discovery using Forgot Password
  • Check if the login page is accessible
  • Check if user registration is enabled

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • Known vulnerabilities which affect the identified Drupal version (core and plugins)
  • Checks for known Drupal configuration issues
  • Detailed risk description and recommendations for improvement
drupal-scan-sample-report

Joomla Vulnerability Audit

This security audits connects to the target Joomla website and retrieves information from the HTML pages in order to fingerprint the Joomla version.

The enumeration of components, modules and templates is actively done by trying multiple known names.

Our tools also extract the vulnerability information from a frequently updated database of Joomla core and extensions and includes them in the final report together with references for vulnerability details.

We perform a remote scan, without authentication, using a black-box approach. This simulates an external attacker who tries to penetrate the target Joomla website.

Tests Performed

  • Detect the installed Joomla version
  • Show the vulnerabilities which affect the identified Joomla version
  • Enumerate installed components and their versions
  • Show the vulnerabilities for the identified components
  • Enumerate the installed modules and their versions
  • Show the vulnerabilities for the identified modules
  • Enumerate the installed templates and their versions
  • Show the vulnerabilities for the identified templates

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • Joomla version and known vulnerabilities
  • Installed components, modules and templates
  • References for vulnerability details
joomla-scan-sample-report

SharePoint Vulnerability Audit

Our security audit connects to the target SharePoint server and tries to retrieve certain default pages that indicate the presence of the mentioned vulnerabilities.

Furthermore, the HTTP response headers received from the server are also analyzed to find security issues.

The SharePoint security assessment is performed remotely, in a black-box manner. The results of the scan should be interpreted from the perspective of an anonymous user who accesses the target website.

Tests Performed

  • Gather information about the SharePoint version installed
  • Analyze SharePoint configuration settings
  • Verify public exposure of SharePoint web services
  • Attempt to do user enumeration
  • Check permissions on default SharePoint _layouts, _catalogs and forms
  • Find public information (indexed by Google) about the target

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • SharePoint components with incorrect permissions
  • Details of SharePoint users (when they can be extracted)
  • SharePoint version installed and web server information
  • HTTP server headers and the SharePoint information leaked
sharepoint-scan-sample-report

SQL Injection Assessment

SQL Injection remains one of the most prevalent attacks used by hackers and a serious security threat to both individuals and companies.

SQLi is also one of the most well-known web application vulnerabilities with a dedicated chapter in the OWASP Top 10 project and is also a highly chased vulnerability in bug bounty programs.

A common SQL injection attack happens when attackers try to insert malicious SQL statements located in an HTTP (or HTTPS) request by changing the current behavior of SQL statements created by the web application.

They do this by first finding a vulnerable user input within a web app and create input content which is often used as the malicious payload to launch this attack. The input provided by an attacker may include characters that could interfere with the SQL syntax and will result in arbitrary SQL queries performed on the database.

Our security audit will scan the target URL containing SQL commands and check if the MySQL database has been exposed to any SQL injection vulnerability. It can perform a full SQL injection assessment of the target web application to detect vulnerabilities before being compromised.

Other popular relational database management systems (RDBMS) that are vulnerable to SQL injection are Microsoft SQL Server, Oracle, or SQLite. These are also covered by our security audits.

How this test is performed

Crawling the target:

In this first step, we try to identify all the pages within the target web application, including injectable parameters in login forms, URLs, headers, etc.

Accurate SQL injection testing:

During this phase, for each page discovered in the previous step, the we will try to detect if the parameters are vulnerable to SQL Injection and report them in the results page.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • A quick overview of the findings and its risks ratings
  • Detailed information for each finding with explanations about the vulnerable parameters and methods used
  • Each finding has an in-depth description of its risks and useful recommendations to fix these security flaws.
  • The vulnerabilities discovered are rated by the risk level shown in the report.
sql-injection-scan-sample-report

Cross-Site Scripting (XSS) Assessment

Cross-Site Scripting (XSS) is one of the most well known web application vulnerabilities. It even has a dedicated chapter in the OWASP Top 10 project and it is a highly chased vulnerability in bug bounty programs.

The risk of a Cross-Site Scripting vulnerability can range from cookie stealing, temporary website defacement, injecting malicious scripts or reading sensitive page content of a victim user.

We conduct XSS detection with a couple of requests. First, we inject a simple string in the tested parameter and checks if it is reflected back in the response page. If the parameter is reflected, then we will inject a piece of JavaScript code, including some special HTML characters (>, <, “, ‘) and it will try to see if they are returned in the response page without sanitization. If this is true, the page and parameter are declared vulnerable.

How this test is performed

Spider the target

In this first step, we try to identify all the pages in the web application, including injectable parameters in forms, URLs, headers, etc.

Test for XSS

For each page discovered in the previous step, we will try to detect if the parameters are vulnerable to Cross-Site Scripting and report them in the results page.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • Summary of the findings and risk ratings
  • Each finding has a detailed explanation in terms of risk and recommendations
  • The vulnerabilities are ordered by the risk level
xss-scan-sample-report

URL Fuzzing Service

The URL Fuzzer can be used to find hidden files and directories on a web server by fuzzing.

This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
Since ‘security by obscurity’ is not a good practice, you can often find sensitive information in the hidden locations identified by the URL Fuzzer.

The URL Fuzzer uses a custom built wordlist for discovering hidden files and directories. The wordlist contains more than 1000 common names of known files and directories. For each WORD in the wordlist, it will make an HTTP request to: Base_URL/WORD/ or to Base_URL/WORD.EXT in case you chose to fuzz a certain EXTension.

How this test is performed

Base URL: This is the URL on the target server that will be fuzzed. All the requests will be done by using this value as base URL

Search for directories: We can also search for directories located at the base URL (option)

Search for custom extensions: You can also specify multiple extensions that you want us to search for (up to 10 extensions per scan), including double extensions (ex. .php.old, .jsp.bak, .tgz, etc)

Search for common configuration files: We find common file names such as: .htaccess, .bashrc, .mysql_history, passwd and many more (about 4500 names)

Dynamic wordlist: We extend the default wordlist with words from the HTML page located at the base URL (option)

Mutate found files: We can also apply various mutations to the identified files in order to find other resources (ex. config.php, config2.php, config_old.php, config-dev.php, etc)

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • The identified files and directories
  • HTTP response code for each file
url-fuzzer-sample-report