Platform for Experts 
Mobile & Backend Security Testing 
Our Company 
Blog
Contact us
eShard
/
Pentesting Backend And Webapp

Pentesting - Backend and WebApp

With a penetration test (in short: pentest), we stress your web app, API and backend systems by simulating real-world attackers and shed light into the resiliency of your backend against adversaries. The results of a pentest provide you with information for your risk management practice and make your risks explicit. Therefore, performing pentesting is not an option, it is a must and common practice at digitised companies.

How we perform a pentest

Before a pentests starts, we together agree upon your objectives and expectations, the assets to be protected, the scope of the test, our approach (black-, grey- or white-box) and the general project setup.

We will report vulnerabilities identified using the Common Vulnerability Scoring System (CVSS) and assign a score/rating (= criticality) per vulnerability. Irrespective of tools used by the pentester, pentesting requires state-of-the-art knowledge, expertise, experiences, imagination, creativity and intuition. Like in any other arts. Pentesting is our passion and profession.

Web app pentest

Web apps (with mobile apps) have largely replaced fat client applications and become the predominant interface of companies to customers and users. A web app penetration test addresses both end points of a web application: the server-side as well as the client-side. The basic security assumption in this client-server model is that the server must not rely on any input provided by the client-side and protects itself. This has a significant impact on the protections required and the depth of testing.

Web apps typically use a number of server-side technologies to be taken into account, such as graphql, Django, Spring, Node.js, Laravel or Ruby on Rails, and JavaScript for client-side. In scope of the web app pentest are usually, among others, the following functionalities:

  • User access control mechanisms (authentication, session management access control)
  • Verification of user provided input and sanitization mechanisms
  • Defence mechanism (errors, logging, alerting, response)
  • Administration of the web app
  • Logic flaws in control flow
  • Server configurations
  • Outdated libraries and other software components

API pentest

APIs are the key enabler for Web 2.0 and meshes of web applications. Browsers and mobile and web applications connect to backend systems via REST, SOAP, RPC and WebSockets. Assessing the endpoint resilience requires

  • Automated & manual testing of the API (e.g. fuzzing)
  • Testing the authentication process
  • Testing the input validation
  • Testing for involuntary data exposure
  • Identification of logic flaws, especially in multi-step processes

Backend systems pentest

Applications do not run on their own and require a supporting infrastructure such as operating systems, networks/network components and management components that form the glue. This includes e.g.

  • Linux, Windows systems
  • AWS Cloud environment
  • Active Directory, Kerberos servers
  • Management components like Logging, Monitoring and Virtualization technologies
  • Active network components such as firewalls, routers and switches Since these systems may be vulnerable themselves and become the source or part of an attack, they also need to be considered as a potential risk.

Complementary services

Depending on the project objectives, a penetration test may include additional, specialised activities, such as

  • Performance of a threat analysis
  • Performance of secure code reviews
  • Analysis of crypto protocols
  • Fuzzing external interfaces and protocols
  • Reverse engineering binaries and executables
  • Development of a proof of concept or an exploit for demonstration purposes

Good reasons for a pentest with eShard

Are you looking for a standard pentest or a pentest of a complex system? Depending on the testing target, the pentest team is composed of various cross-functional experts, e.g. for analysis of proprietary cryptography protocols, hardware security or protocol stacks (e.g. Bluetooth, CAN bus). Pentesting requires teamwork and we assign a team of pentesters according to the mission’s need.
Our experts have a track record in security testing and reverse engineering of e.g. banking web applications and APIs, mobile apps, payment applications, IoT devices, healthcare devices, smartcards, POIs, ICs/SOCs and cryptography.

Do you answer one of the following questions with a “yes”?

  • Is regular or ad-hoc (e.g. after significant changes) penetration testing part of your security policy and risk management discipline?
  • Have you experienced an advanced attack on your backend recently?
  • Do you have to demonstrate the resilience of your customer interface to your business partners, a regulatory body or a scheme (e.g. PCI DSS, GDPR, …)
  • Do you want to have an independent third-party assessment of your backend system and test your ability to keep attackers and adversaries off your fences?
  • Interested in getting an expert statement on the resilience of a composited system, such as an IoT- or POI device or an ATM?

Then this might be a good reason to talk with us, please contact us here.

Contact us

Interested?

Contact us
CopyRights eShard 2022.
All rights reserved
Privacy policy | Legal Notice
PLATFORM FOR EXPERTS
Side Channel AnalysisLaser & EM Fault InjectionFirmware Security AnalysisSecurity Failure AnalysisVulnerability Research
PROFESSIONAL SERVICES