There is no question about it  - web applications are one of the favorite targets of hackers.  Web applications are extremely difficult to security, they are often publicly accessible and they give control of the type and quantity of input data to the user.  In addition, they rely on a potentially insecure user interface tool (web browsers) and on a protocol (http) this was not originally designed with security in mind.  Given all of these security concerns, the fact that more and more organizations are relying on web applications for key business functions means that web application security testing is more and more critical.

During NWN’s web application testing, a variety of automated tools are used to “crawl” the target application and identify all pages, forms, fields, URLs, URIs and other points where user interaction or input is possible.  NWN will then test each of these for susceptibility to a variety of types of attacks including:

    -    SQL injection

    -    Cross-site scripting

    -    Session strength analysis

    -    Parameter analysis

    -    SSL analysis

    -    Java analysis

    -    Authentication testing

    -    Source code disclosure

    -    Cross-site tracking

    -    Directory browsing

    -    Site architecture exposure

Databases often for the heart of an organization’s application infrastructure.  They contain everything from password to corporate trade secrets and are thus targets.  Whether they are accessed directly, via a web application or via a client-server program, database servers are subject to attack.  NWN reviews client database systems agains industry and vendor best practices to determine if they have been properly secured or hardened.  In addition, NWN review the communication channels between applications and database servers to identify susceptibility to sniffing or other data interception attacks.  NWN also review authentication controls to determine the likelihood that an attacker could gain access to data stored in a databased without proper credentials.