Scoping Questionnaire: Web and Mobile Application Testing
If you have any questions about the questionnaire process, feel free to speak to one of Canary Trap’s live agents using the chat widget below or contact us to book a consultation.
- Gaining a clear understanding of your requirements
This type of test is reserved for custom developed applications. We will use both automated and manual means to comprehensively assess the security of the application code as it is presented to the Internet at the given IP address.
We will start with automated tools. Scanning tools quickly enumerate and map the application, performing the most mundane and otherwise labor-intensive activities. These tools will detect known vulnerabilities and errors in the web application, web hosting platform (nginx and PHP), or the underlying operating system. After the scans have been completed, Canary Trap will analyze the results for false positives and for any patterns that emerge. Automated testing reveals potential vulnerabilities in application code, such as injection flaws, debug and testing files, known platform and codebase vulnerabilities, error handling issues and configuration issues.
Next, we will perform manual testing against the platform. Canary Trap’s consultants are well trained and highly experienced in performing penetration testing. In manually testing the applications, Canary Trap uses a combination of commercial, open-source and custom tools, as well as reviewing code presented by the web application. This approach allows us to manipulate the application, as well as to infer secure coding practices used in the application development lifecycle. Manual testing is where we expect a majority of the more significant vulnerabilities to be found.
Our testing will include checks for at least the following categories of vulnerabilities, as appropriate, using a black box testing approach to your environment:
Open Web Application Security Project (OWASP) Top 10
Cross-Site Scripting (XSS) Vulnerabilities
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Failure to Restrict URL Access
Unvalidated Redirects and Forwards
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other OWASP Vulnerabilities
• Malicious File Execution
• Information Leakage and Improper Error Handling
• Unvalidated Input
• Buffer Overflow
• Privileged Testing
Most tests are conducted with minimal knowledge of your environment, processes or applications. However, in order for Canary Trap to be comprehensive in our testing methodology, we must consider the capabilities that an authorised user on the in-scope systems and/or applications may have. As such, we will use user accounts – normally a representation of one anonymous and an authenticated user role – to test what an authorised user may accomplish.
This will be a manual exercise that looks to test, at a minimum, the following:
• An authorised user’s ability to elevate privileges
• An authorised user’s ability to view other user/account data
• An authorised user’s ability to add/modify/delete other account data
• An authorised user’s existing access is appropriate based upon role
• An authorised user’s ability to compromise the security of the overall platform.