Hands-on application testing.

Our ethical hackers will try to enter anything into the application during hands-on testing.

Application assessment

A code review gives a good, but not necessarily complete picture of the security issues related to an application. What to think of software libraries, often supplied by third parties, of which there is no source code available? Additionally, the structure of an application is often complex to such an extent that it proves highly time-consuming to discover all security issues by means of a code review alone. For these reasons Qbit uses hands-on application testing.

Our approach

With a hands-on application test, you will provide Qbit with a URL and, if applicable, authentication credentials and/or tokens. Qbit will then test the application hands-on for the following points of interest:

  • Information-disclosure

In various ways, for instance via reverse engineering of the interactive components of an application, information is gathered that could be used in staging an attack. Specific attention is paid to hidden form fields, cookies, certificates, HTML, directory indexing, directory traversal, et cetera.

  • Command-execution

Database access and access to the back-office is normally only possible via the application. This part of the assessment targets at finding implementation- and/or design issues that may lead to unauthorised access to the database or back-office using injection techniques (for example SQL, LDAP, server-side includes).

  • Input-checking

In some cases, it is possible to crash an application or manipulate its actions by presenting input completely differing from normal input. In some cases, this leads to unexpected behaviour such as information leakage, buffer overflows, cross-site scripting. In most situations, not all inputs but a subset assumed to be representative will be tested.

  • Session-hijacking

This part of the assessment focuses on the possibility for non-authorised or authorised users to ead or manipulate data of other users in non-authorised ways and/or authorise transactions in the name of another user. With the latter, think about manipulating certificates and/or performing a man-in-the-middle attack.

In case the security of a mobile app, like an iOS or Android app, is tested, Qbit will:

  • Download the apps through the regular store.
  • Install the apps on out test phones.
  • Perform a static analysis using tools like QARK to test if, for instance, dangerous permissions are required, and the app is protected against common vulnerabilities.
  • Use an isolated test network to map the traffic of the app (normal use). We will check if, for example, secure connections are used, and only necessary information is sent.
  • Analyse the configuration, cache and temporary files which are stored on the phone. Are they secured or encrypted? Do they contain sensitive information? And how does the app react to external changes?

Benefits of hands-on application testing

  • Find out if your application is hacker-proof
  • Insight in level of security and real vulnerabilities
  • Practical and feasible recommendations

Contact me

Erik Rutkens

Erik Rutkens

CEO and founder Qbit

Let me tell you more. Email me or call me on +31 6 53 317 977.

    Request a quote

    Request a quote for: Hands-on application testing

    How can we be of service? Please fill in you request and we'll get back to you as soon as possible.

    Thank you! Message successfully sent.

    We received your message and we'll get back to you as soon as possible.

    Please correct the fields below before submitting the request.
    We'll only use your email address to answer you.
    Tell us how we can help you.