TESTING WEB APPLICATIONS AGAINST REAL-WORLD DATA BREACH ATTEMPTS

CORE IMPACT Pro offers the first and only automated methodology for testing the security of web applications and demonstrating the potential consequences of a web-based attack. With IMPACT Pro, you can regularly and safely test web applications against actual data breach attempts, without requiring advanced technical skills. Leveraging the product’s Rapid Penetration Test (RPT) capabilities, you go beyond scanning to identify and interact with at-risk web applications to expose backend data – just as an attacker could.

IMPACT Pro’s web application security testing capabilities enable you to:

identify weaknesses in web applications, web servers and associated databases
dynamically generate exploits that can compromise security weaknesses
demonstrate the potential consequences of a successful attack
get information necessary for addressing security issues and preventing data incidents

IMPACT Pro is the only product to integrate web application penetration testing with network testing and end-user testing. You can therefore confidently assess your organization’s ability to detect, prevent and respond to real-world, multistaged information security threats.

Conduct penetration tests that emulate Cross-Site Scripting (XSS), SQL Injection and Remote File Inclusion threats

IMPACT Pro is the first-and-only automated web application penetration testing software to address three of the most prevalent information security threats facing organizations today:

Cross-Site Scripting
Cross-Site Scripting (XSS) threats take advantage of vulnerabilities in web applications and allow attackers to interact with the browsers of web application users. IMPACT Pro not only identifies web page elements that allow for URL-based, reflective XSS attacks, but it also allows the security tester to leverage those elements to demonstrate how end-user browsers and data can be compromised.

SQL Injection
Through its vulnerability analysis capabilities, CORE IMPACT Pro safely identifies both traditional and blind SQL injection vulnerabilities and then leverages the results to dynamically create and inject SQL queries in an attempt to retrieve output from the SQL database. Whenever a query successfully accesses the database, an IMPACT SQL Agent is created. Using the SQL Agent, you can then safely replicate the actions of an attacker to demonstrate the potential consequences of an actual breach.

Remote File Inclusion
To test web applications against Remote File Inclusion (RFI) attacks on PHP applications, IMPACT Pro dynamically manipulates PHP templates in an attempt to retrieve commands from a remote web server. If successful, the manipulation is recorded as an IMPACT RFI Agent, which allows you to interact with the targeted web application to safely demonstrate the exploitability of the RFI vulnerability and reveal at-risk data.

Go beyond scanning to identify real threats and eliminate false positives

Mitigating web application vulnerabilities typically requires developers to rework code, so it’s critical for web application security testing to pinpoint actual threats and eliminate false positives. IMPACT Pro both identifies potential vulnerabilities and validates them against dynamically generated exploits. By revealing how and where a data breach could unfold and by exposing at-risk information assets, IMPACT Pro enables you to work with developers to confidently plan remediation efforts and avoid unnecessary code changes for both new and existing applications.

Replicate attacks that extend to backend network systems

Web applications don’t exist in a vacuum and are typically networked to other systems. Consequently, a compromised web application can open the door to attacks on other network assets, compounding the damage caused by the initial breach. With the addition of web application testing to its comprehensive network and endpoint security testing capabilities, IMPACT Pro enables you to safely assess your security against attacks that cross all three vectors. For instance, IMPACT Pro can replicate an attack that initially compromises a web server or end-user workstation and then tunnels to backend network systems. Only IMPACT Pro allows you to test information security in the face of such complex attacks.

Successfully test custom web applications

Most web applications are custom-built, or highly specialized, and are often not developed with security in mind. Because of the level of customization, testing applications for security vulnerabilities requires the creation of unique exploits.

CORE IMPACT Pro goes beyond web application vulnerability scanning by dynamically creating customized exploits on-the-fly. You can then use these exploits to safely replicate data breach attempts against both proprietary and out-of-the-box web apps.

Generate actionable data for efficient and effective remediation

Through its reporting capabilities, IMPACT Pro provides security professionals, web developers and database administrators with critical information for identifying security weaknesses, determining possible fixes, and prioritizing remediation efforts. IMPACT Pro maintains audit trails of all web application penetration tests performed, servers and databases accessed, and all actions taken during testing. Like all IMPACT Pro reports, web application test reports can be exported to HTML, PDF and Microsoft Word for further customization and distribution.