We help IT Professionals succeed at work.

How to get a web application penetration test and vulnerability scan?

A client is asking for a web application penetration test and vulnerability scan before they commit to using a particular web application. Please advise where to go to for such tests and scans. Thanks.
Watch Question

David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

you can use the test tools included with visual studio or otherwise throw at the web app anything and everything and observe the results.. i.e. what the web app expects plus what it expects + a bunch of random text/values and observe the results..

Your code should have NO depeciated code i.e using gets() vs fgets(), strncpy vs strcpy, (these are susceptible to buffer overloads)
use different ports and protocols addressed at the web app and see what happens..
If you don't know exactly what you're doing forget about trying to do it yourself, least of all with just generic code debug tools.

Hire a security consultant to perform the scan.
Here is a good start with explanations: http://hackertarget.com/
There are commercial and open source tools but in unskilled hands their value is limited.
A. Get a consultant to do this job.
B. Do both blackbox and whitebox testing
C. Have recommendations for a validated secure environment
btanExec Consultant
Distinguished Expert 2019
There tools to automate the vulnerability scanning such as metasploit, samurai, netsparkerand more

But more often than not, it is the whole pentest cycles that you should be running from fingerprint, enumeration, recon, vul scan, vul verification, validation of possible exploits or low hanging fruits and reporting. Security is a process not a product

Check out these references too

But importantly, shd not missed out OWASP top ten vulnerabiloty, that will be baseline checks for low hanging fruits. Tools such as appscan, webinspect, acunetix covers them

There are also online webserver checks but sugest you do it offline as staging prior to those trys since you will not want exposure checks at this initial stage  

Top Expert 2005

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.