Application Assessments

Every application is written differently with varying complexities.  In most engagements, our engineers work closely with the customer’s development and deployment teams to help disclose potential attack vectors.  In some situations, customers may grant PatchAdvisor engineers with a “guest” account on the application to determine whether a valid user can escalate their privileges or access data that is not allowed.   Our team may also use open source tools such as those available from the Open Web Application Security Project (OWASP) to help identify potential problem areas. Typical activities during the application assessment phase include analyzing the web server for known vulnerabilities, verifying application services have disabled or changed default passwords, detailing form submission fields and variables for code review, validating all sensitive data is encrypted during communication, testing CGI, scripts, and other server executed code to validate cross-site scripting issues and parameter tampering, analysis of any cookies to verify that sensitive information is not included, and validation any session identifiers can not be easily guessed or used in replay attacks.

In complex applications, there could literally be thousands of variables that are used in communication between the client and the web application.  After determining input fields and variables that are passed, PatchAdvisor engineers will review portions of the source code that accept user input to validate that the application code appropriately handles bounds checking, SQL-injection attacks, non-standard character sets, etc.  Our engineers also used techniques such as reverse-engineering JAVA or ASP.NET code to discover embedded database credentials or other types of sensitive information.  Sample source review is done to determine more esoteric attack paths through manipulation of form data.