Quartom International performs an in-depth security assessment of your web application, which includes automated and manual testing techniques. Automated testing techniques include running web application scanners and other tools. Manual testing techniques involve Quartom International experts simulating active web-based exploitation techniques by assuming different roles and levels of authentication for a thorough assessment of the web application.
Quartom International identifies vulnerabilities, analyzes those vulnerabilities, ranks them based on the client’s business risk, and performs exploitation attacks only with the goal of validating those vulnerabilities and providing a proof-of-concept for the vulnerabilities. Our web application security assessment services systematically evaluate any vulnerabilities and misconfigurations that are found within your web application.
Quartom International develops a customized assessment plan for each of our clients. Our goal is to identify any security concerns in internal- and external-facing applications that could be exploited to gain access to sensitive data or business operations before bad actors can.
Below are some of the most common attacks that are performed against web applications, which Quartom International strives to protect you against:
Broken Access Control – A web application imposes limitations on what authenticated users are allowed to do and view. However, these are not imposed strictly, which leads to Broken Access Control Attacks. Attackers can leverage this vulnerability to access unauthorized functionality or information, such as editing other users’ information, viewing sensitive files, accessing other users’ accounts, modifying access rights, etc. Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control.
Sensitive Data Exposure – Several misconfigured APIs and web applications do not protect sensitive information such as healthcare, financial, and PII from attackers. Attackers may alter or modify such poorly protected data to perform credit card fraud, identity theft, or other crimes.
Injection – Injection defects such as SQL, LDAP, OS, and NoSQL injection occur when unreliable data is sent to an interpreter as a component of a query or a command. Such attacks could lead to the compromise of sensitive data in databases or the compromise of the entire web server.
Cross-Site Scripting (XSS) – XSS attacks occur whenever an application does not have appropriate escaping or validation and updates an existing web page with user-supplied information that can create JavaScript or HTML. XSS permits attackers to execute scripts in the victim’s browser that can ruin websites, hijack user sessions, or redirect users to malicious sites.
Security Misconfiguration – The most commonly seen issue is security misconfiguration. This is generally a result of ad-hoc or incomplete configurations, insecure default configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive data. 90% of applications were tested for some form of misconfiguration.
Identification and Authentication Failures – Application utilities related to session management and authentication are generally executed erroneously, permitting attackers to compromise keys, passwords, or session tokens, or to exploit other execution defects to assume other users’ identities permanently or temporarily.
