fbpx

Web Application Assessment

We help you remove security risks from vulnerabilities that are in your system such as SQL injection and cross site scripting by performing a vulnerability assessment of your web application.

Service Overview

This is a security assessment service for detecting vulnerabilities in web application such as SQL injection and cross site scripting. Vulnerability assessment is regarded as an effective and necessary measure for preventing illegal access and information leakage, which have affected many websites in recent years. Through vulnerability assessment of web applications, Ierae Security helps construct secure systems that are essential to web applications such as e-commerce sites and SNSs that handle private and sensitive information. We detect vulnerabilities without solely depending on automatic assessment tools, but rather using a method that combines tools and manual techniques where our security engineers comb the system from the viewpoint of an attacker for logic-related issues as well as issues that arise from the use of technologies that have become popular in recent years. Once the assessment of your web application is over, we compile a report detailing how to reproduce the vulnerabilities that have been detected and outline the best measures against security risks.

Assessment Flow

  • STEP1

    Preparations for a Web Application Assessment

    Examine the structure of the system and determine the scope of vulnerability assessment

    We ask you to first specify the scope of web application assessment, after which we estimate the necessary workload.

    1. Interview your staff to examine the system structure

      We examine the structure of your system by studying its specification documents, interviewing your system representative, and accessing the actual application, in order to estimate the number of requests to be tested in our assessment.

    2. Determine the method of web application vulnerability assessment and give you an estimate

      We ask you to choose either a remote assessment that is conducted by accessing your system through the Internet or an on-site assessment where our security engineers visit a location from which the target application can be accessed. We then give you an estimate per request unit depending on your choice.

  • STEP2

    Performing a Web Assessment

    Perform web application vulnerability assessment both using tools and manually

    We perform a tool-based assessment of the target web application as well as a manual assessment from the viewpoint of an attacker to detect flaws that cannot be detected by tools.

    1. A tool-based vulnerability Assessment

      We perform a comprehensive analysis of the target system, to which tools are better suited, in order to detect vulnerabilities in your web application that are caused by wrong settings or a lack of security measures.

    2. A manual assessment that targets possible vulnerabilities in your web application system

      Our security engineers study the validity of the results of the tool-based assessment and examine assessment items that cannot be tested using tools, which all be done manually. It is sometimes the case with minor individual vulnerabilities that they create a large security risk when combined.

  • STEP3

    Submitting an Assessment Report and Proposing Measures to Improve Your Web Application

    Report on the Results of the Web Application Assessment

    We report on the details of the risk assessment results, executive summary, and vulnerabilities that have been detected in your web application.

    1. Overall Evaluation

      We report on the assessment results, and if one or more vulnerabilities have been detected, we explain how they may affect your business. We also propose measures that are recommended from the viewpoint of business operation.

    2. Details of the Vulnerabilities in Your Web Application

      We report on the details of the vulnerabilities, how to reproduce them, etc. We also outline what risks can arise from them and what countermeasures should be taken.

Assessment Items

Vulnerabilities Related to Input/Output Handling

Cross Site Scripting
We check for vulnerabilities such as embedding a malicious script due to an improper output processing in a web page that uses input values sent from users.
SQL Injection
In functionality that uses a database, we check for vulnerabilities that lead to leakage or alteration of information in the database due to the problem in generating SQL statements.
OS Command Injection
In a web application that uses shell commands executed on the server OS, we check for vulnerabilities such as unintended command executions due to problems in generating shell commands.
HTTP Header Injection
In functionality that outputs the input value sent from a user in the HTTP response header, we check for vulnerabilities such as an unintended header being added to the HTTP response due to insufficient sanitizing of line feed characters.
Mail Header Injection
In a web application that has email sending functions, we check for vulnerabilities that the email content or destination is altered due to a problem with generating email sending commands.
XXE Injection
In functionality for processing XML, we check for vulnerabilities that lead to information leakage and denial of service by exploiting declaration and referencing of external entities.
LDAP Injection
In functionality that uses LDAP, we check for vulnerabilities that cause leakage or alteration of data in the directory due to problems with the query generation.
Other Injections
In functionality that uses input values sent from users as input values for other programs, we check for vulnerabilities that may cause information leakage or falsification due to special character processing in various contexts. There are various cases as follows depending on the target system, so please contact us for details depending on the system components used:
Server-Side request forgery (SSRF), NoSQL Injection, Server-Side Script/Template Injection, Code Injection such as eval, SSI Injection, XML Injection, Xpath Injection, Format String Bug, etc.
Open Redirect
We check the redirector that uses the input value sent from users for vulnerabilities that can specify any transition destination URL.
Directory Traversal
In functionality that receives file names and directory names from users, we check for vulnerabilities that cause data leakage that should not be accessed due to the problem of handling input values.
File Inclusion
In functionality that receives file names, path information, URLs, etc. from users and processes the files, we check for vulnerabilities that could cause information leakage due to problems with their handling.
Uploading and Publishing of Arbitrary Files
In functionality that allows users to upload files, we check for vulnerabilities that cause the following due to problems on the server-side such as file storage settings and publishing settings:
– Saving and publishing files in a format not allowed by the operator
– Arbitrary code execution by installing scripts and executable files
– Information leakage
Buffer Overflow
In functionality that receives and processes input values from users, we check for vulnerabilities that cause a denial of service or arbitrary code execution due to inadequate verification of the data length written to memory.
Bypassing Input Value Filter
In functionality that receives and processes input values from users, we check for vulnerabilities that allow actions that are not normally permitted due to input value verification problems.
Potential for Unsafe Deserialization
In functionality that receives serialized objects as input values from users, we check for vulnerabilities that cause arbitrary code execution due to processing problems.
* In black-box vulnerability assessment, it is very difficult to succeed in executing the code in a short period because the processing on the server-side cannot be grasped.

Vulnerabilities Related to Authentication

Examination of Login Forms and Confidential Information Input Forms
We check whether the handling of input information is appropriate for login forms and other forms for entering confidential information.
Guessing by Error Messages
In the Web application with authentication, we check for vulnerabilities that the registered authentication information can be guessed by the error message upon authentication failure.
Transmitting Confidential Information in Plain Text
We check whether secret information such as Web application passwords is transmitted in plain text without being encrypted by HTTPS.
Inadequate Account Lockout
We check if there is a limit on the number of attempts for authentication functions.
Inadequate Logout Function
In the system with authentication, we check whether the logout function is provided and whether the session is properly discarded when logout is executed.
Abuse of Password Change or Reissue Function
We check for the vulnerabilities that cause a third party to change or acquire passwords due to a flaw in the function that the user or administrator changes or reissues the password.
Forced Browsing
We check for vulnerabilities that allow direct access without authentication to pages that require authentication due to inadequate access control.
Inadequate Authentication
We check the authentication function for vulnerabilities that allow bypass due to processing flaws.

Vulnerabilities Related to Authorization

Inadequate Authorization Control (Privilege Escalation)
In a system that provides functions according to account privileges, we check for vulnerabilities that can use administrator-only functions with general user accounts, for example.
Inadequate Authorization Control
For functions that have different information accessible to each user, such as the My Page, we check for vulnerabilities that allow access to unauthorized third party data.

Vulnerabilities Related to Session Management

Session Management Cookie without Secure Attribute
For websites that use HTTPS, we check the presence of the secure attribute of Cookies that hold session IDs and confidential information.
Long Session Expiration
We check whether the user’s session ID is a fixed value over a long period so that a third party can identify.
Weak Session ID
We check the session IDs issued to the user by the Web server for problems such as values with a pattern that can be guessed or calculated by a third party.
Session Fixation
We check for vulnerabilities that can cause information leakage between users due to the problem of allowing other users to use the session ID prepared by an attacker.
Inadequate Session Management
We check for vulnerabilities that lead to spoofing and information leakage in the issuance, use, and management of session IDs by the Web server.
Cross-Site Request Forgery
For functionalities that affect data such as registration, update, and deletion of information, we check for problems that the user performs an unintended act due to lack of verification of proper transition.

Vulnerabilities Related to Web Server Settings

Allowed HTTP Methods
We check for any unnecessary HTTP methods supported by the Web server.
Directory Listing
We check whether the list of files in the directory is displayed by accessing the directory, due to improper Web server settings.
System Information Disclosed
We check for vulnerabilities that display software information and information on the server OS in various contents including header information and error messages sent by the Web server.
Management Page Disclosed
We check the existence of pages such as an administrator login page that provides administrative functions that can be the target of attacks.
TLS/SSL Related Settings
We check for improper settings for TLS/SSL (HTTPS) usage.

Vulnerabilities Related to Client-Side Technologies

Improper Cross-Origin Resource Sharing Policy Settings
We check whether the resource of the target server can be used from an external script due to inappropriate resource sharing settings.
Vulnerability that may Lead to Same Origin Policy Evasion
We check the Web site for problems that can bypass the protection mechanism of the same-origin policy by the Web browser.

General Vulnerabilities

Software with Known Vulnerabilities
We report when the software version information is acquired with the “System Information Disclosed” and any known vulnerability exists.
Inadvertent Information Disclosure
We check whether the Web server reveals files or data that should/need not be disclosed.

Vulnerabilities due to Application Settings and Design

Logic Flaw
We check for irregular problems that depend on the specific processing logic of the application.
For example, we try various possibilities within the assessment period, such as refunding when order quantity is set to negative on an EC site or browsing the information of target users by bypassing the block on SNS as much as possible.
Denial of Service
We check for vulnerabilities that lead to denial of service of the target system or interfere with the use of the service among users.
Inadequate Cache-Control
We check whether secret information is cached on the client or route due to inadequate cache-control settings on the Web server or the content.
URL with Secret Information
We check whether URLs contain confidential information that can be leaked by sending a request.
Clickjacking
For functionalities that affect data such as registration, update, and deletion of information only with mouse clicks, we check for problems that the user performs an unintended act on a trap page.
Race Condition Abuse
In program processing, we check whether inappropriate processing occurs due to simultaneous access to the same resource.
Abuse of System for spam
We check for vulnerabilities that can send spam and phishing emails to third parties with the web application that has email sending functions.

Cases

A Major e-Commerce Enterprise

Vulnerability Assessment of an e-Commerce Website

Assessment Background
We received an order for security assessment of an updated version of an e-commerce website with several million users.
Our assessment discovered vulnerabilities in an added feature of the updated version that could lead to personal information leakage, which could have led to a fatal incident if left undetected.
Service Scale
Approximately 200 screens
Assessment Period
Approximately four weeks

A Major Telecommunications Company

Website

Assessment Background
This company asked for security assessment of their sales and contract website prior to its release. We detected a flaw that allowed malicious contracts to be made and prevented any damage from it before the release of the website.
Service Scale
Approximately 150 screens
Assessment Period
Approximately three weeks

Sample Report

In the report of the assessment results, we present the details, reproduction procedures, risks, and countermeasures for the vulnerabilities that are discovered, so that the client company can correct them quickly.
*Please request a sample report on the inquiry page. A representative will send them within two business days.

CONTACT

Please do not hesitate to contact us.

Wishing to solve security issues in your web services or apps and maximize profit? Please do not hesitate to contact us, as we will be delighted to help you.
Our highly experienced security engineers will test your system.