Web application penetration testing with ImmuniWeb

Switzerland-based ethical hacking and penetration testing experts High-Tech Bridge recently released an interesting security product that uses a hybrid approach towards web application security testing.

Based on years of experience, the new ImmuniWeb offering is a Software-as-a-Service tool that combines manual and automated penetration testing in a cost effective way.

Usually the majority of users deploy automated security solutions when auditing web applications, while those with bigger budgets use professional penetration testing teams to analyze the state of the security of their web apps. High-Tech Bridge saw an opportunity and combined the two approaches. After a year of extensive private beta testing, their SaaS solution saw the light of day in May.

The concept is pretty straightforward: the user needs to create an ImmuniWeb account, setup contact details and schedule an on-demand web application penetration test. At $990 per scan, a team of qualified ethical hackers will “attack” the target by using a custom automated vulnerability scanner, as well as spend a number of hours (depending on target’s complexity; usually up to 12 hours) performing manual penetration testing. This optimal combination of the two approaches provides a thorough picture of the web app’s state of security and significantly minimizes false-positives.

Before the scanning starts, the user is informed of the estimated time of duration of the process. He will also be informed of the IP range that will be used for the assessment, so that he can modify his firewall rules or do a live grep session of the web server logs to have a live overview on the pentest as it happens.

I had the opportunity to test the service, and found both the automatic and manual tests quite detailed. In the scan we scheduled on a clone of a productive website, manual mangling with parameters resulted in the discovery of some issues that weren’t spotted by three different automated web app scanning solutions.

The full assessment/report is made available for download from the ImmuniWeb Portal by the end of the next working day following the completion of the scan. The report I got was 19 pages long and it focused both on the high-level (graphical) overview of the web application’s state of security, as well as on the details of the discovered vulnerabilities.

The ImmuniWeb assessment is CVE (Common Vulnerabilities and Exposures) and CWE (Common Weakness Enumeration) certified by MITRE. Each vulnerability is dissected into five parts – overview, CVSSv2 base score, detailed vulnerability description, actual proof of concept and vulnerability remediation. Proposed solutions for each vulnerability focus on ways how to fix the problem in the code (for instance proper sanitization) or how to filter the problem in a Web Application Firewall.

If the target domain uses SSL, the report will also focus on potential weaknesses or misconfigurations. High-Tech Bridge analysts also include two “bonuses” in the report – a phishing monitor and a hacking resources monitor. The first one is an overview of potential phishing domains – for example sites with common typos in spelling (let’s say google.com > goolge.com). Of course, because there is such a huge number of registered domains on the Internet, this could result in some false positives.

The “hacking resource monitor” section is a smart addition. It includes the results of a customized crawl through the “darker parts” of the Internet – various forums, pastebin and similar sites, where someone who might have found an issue with your web application in the past has disclosed it to the public.

With its reasonable price tag and the combo approach to manual and automatic web application security testing, ImmuniWeb definitely has a bright future in the industry.