#
Web Application Penetration Test
#
Scoping questions
Here are some data points we will need to scope your Web application network penetration test:
The information below is not an interactive information-gathering form; its purpose is to give you an idea of the types of questions 7 Minute Security will ask in order to properly scope your test. To get a copy of the Word version of the scoping document, contact us.
#
Type of application
Please select all that applies to the system(s) in scope:
- Standard Web Application
- Java Thick Client
- .NET Thick Client
- Web Services / API
- Android Mobile App
- iOS Mobile App
- Single-Page Application (SPA)
#
Architecture
- Website Static
- Website Dynamic
- Mobile Application - Native
- Mobile Application - HTML5/Mobile Web
- Do Not Know
- Other (Please explain below)
#
Technologies / languages
- AJAX
- ASP.NET
- C#
- C/C++
- ColdFusion
- Java, J2EE
- JavaScript
- JSP
- Other (Please explain)
- PHP
- Python
- Ruby
- Silverlight / WCF
- Visual Basic
#
Web framework / CMS
- Angular
- Drupal
- JSF
- Joomla
- Microsoft .NET
- Ruby on Rails
- Spring
- Stripes
- Struts
- Tapestry
- WordPress
#
Database platform
- MS SQL Server
- MySQL
- Oracle
- SQLite
#
Web services
Are Web services used in the application? If so, what kind and how many methods?
- Custom # of methods:
- REST # of methods:
- SOAP # of methods:
- WCF # of methods:
#
Number of pages (approximately)
Number of static web pages:
Number of dynamic Web pages:
Number of user input forms:
Other:
#
Lines of code (approximately)
Number of static screens:
Number of screens accepting user input:
#
Roles for testing
Number of roles:
Names of roles (like admin, customer, public):
#
Application testing environment
- Production
- Pre-production (UAT, Test, QA, Dev, etc.)
#
Considerations/prerequisites
Whenever possible, 7 Minute Security prefers to examine Web applications in dev/test environments. This allows for a more thorough exercise as we're able to test aggressively without concern for modifying/deleting production data.
7 Minute Security will provide you with our public IPs that we conduct penetration testing from - so that you can temporarily allow these IPs in your firewall/IDS/IPS/etc.
7 Minute Security does not perform any Denial-of-Service (DoS) testing and does not conduct network penetration testing during application assessment activities unless previously scoped as part of the assessment.