Web Application Penetration Testing

  • book demo
  • request trial

Core Impact® Pro offers the most comprehensive web application penetration testing capabilities available in one solution. With Impact, you go beyond scanning to exploit and interact with vulnerable web applications just as an attacker could. Only Impact integrates web application testing with network, endpoint and wireless testing, enabling you to assess your organization’s ability to detect, prevent and respond to real-world, multi-staged threats.

  • Identify weaknesses in web applications, web servers and associated databases
  • Dynamically generate exploits that can compromise security weaknesses
  • Demonstrate the potential consequences of a breach
  • Gather information necessary for addressing security issues and preventing data incidents

 



Core Impact Web Application Penetration Testing Demonstration

 

Proactively Identify and Address All OWASP Top 10 Threats

The Core Impact Web Application Rapid Penetration Test (RPT) automates and speeds the web application testing process for more frequent, repeatable and consistent security assessments.

 

Information Gathering and Scan Import

  • Crawl web pages and identify URLs to test
  • Import results from popular web application vulnerability scanners, including Acunetix® Web Security Scanner, Cenzic Enterprise®, HP WebInspect®, IBM Rational AppScan®, and NTOSpider®
  • Filter scan results and identify significant points of exposure
  • Fingerprint applications to select and run known exploits for off-the-shelf web applications
  • Gather information for dynamically creating exploits for custom applications
  • Impersonate authenticated users
  • Impersonate several browsers, including mobile browsers

 

Attack and Penetration

Core Impact Pro is the first and only automated, commercial-grade web application penetration testing solution to address the most prevalent security threats facing organizations today, including:

  • SQL Injection - Traditional and Blind (OWASP A1)
  • OS Command Injection (OWASP A1)
  • Cross-Site Scripting (OWASP A2)
  • Broken Authentication and Session Management (OWASP A3)
  • Insecure Direct Object References (OWASP A4)
  • Cross-Site Request Forgery (OWASP A5)
  • Security Misconfiguration (OWASP A6)
  • Insecure Cryptographic Storage (OWASP A7)
  • Failure to Restrict URL Access (OWASP A8)
  • Insufficient Transport Layer Protection (OWASP A9)
  • Unvalidated redirects and forwards (OWASP A10)

Dynamic Exploits for Custom Web Applications

Testing custom applications for security vulnerabilities requires the creation of unique exploits. Impact dynamically creates customized exploits on-the-fly to safely replicate attacks against both proprietary and out-of-the-box web applications.

Other Web Application Testing Capabilities

In addition to addressing the OWASP Top 10, Impact enables you to:

  • Test PHP applications against Remote and Local File Inclusion
  • Exploit WebDAV configuration weaknesses
  • Evade firewalls
  • Reveal weak HTTPS encryption

 

Cleanup and Reporting

Core Impact Pro is self-contained and safe for production systems, since it does not install or run code on compromised web servers during testing. Impact’s reports provide security professionals and developers with critical information for identifying security weaknesses, determining possible fixes, and prioritizing remediation efforts. Impact maintains audit trails of all tests performed, servers and databases accessed, and all actions taken during testing.

Next Steps

Book DemoRequest Trial

SHARE