Home > Federal > STMS > GreyBox System / Application Assessment

Security Threat Modeling & Simulation

Greybox System / Application Assessment


SecureState has been performing Grey Box Web Application Assessments since 2004, and have evolved our testing methodology ever since. A Web Application Security Assessment examines all aspects of an application to identify vulnerabilities. The Web Application Security Grey Box Assessment focuses on vulnerabilities for the following layers and security controls:

  • Authentication and Access Control
  • Input Validation Encoding
  • Business logic
  • User and Session Management
  • Error and Exception Handling

A Grey Box Assessment discovers potential web application vulnerabilities, and assists an organization in understanding the associated risks and business impact of the vulnerabilities. In addition, a Grey Box Assessment finds many vulnerabilities listed in the OWASP Top 10. The key reason for performing a Grey Box Assessments is simple yet significant: to strengthen security in order to prevent potential breaches and associated negative ramifications.

  • A Grey Box Web Application Security Assessment represents 70% manual techniques with 30% automated tools
  • Grey Box Web Application Security Assessments find many of the OWASP Top 10 Vulnerabilities; such as SQL Injection and Cross-Site Scripting (XSS)
  • Grey Box Web Application Security Assessments find business logic flaws which automated tools cannot find


As applications become more dynamic and user friendly, the number of vulnerabilities left open by developers increases. This means your web application vulnerability management must be solid. SecureState has found that more than 90% of attacks are coming through the web application layer. Some industry regulations are even making web application security assessment reviews mandatory. The Payment Card Industry’s Data Security Standards makes it mandatory for companies to perform custom code assessments and/or install a web application firewall. Furthermore, if you are testing for business logic flaws, for example, the ability to change products to another customer’s credit card online, you must perform a Grey Box Web Application Security Assessment because manual methods are the only way to test for these types of flaws.


SecureState has been testing clients’ Web Application Security (WAS) for over nine years, and the Assessment remains one of our core services. This means that we perform a great many of them for hundreds of clients. Our experience and expertise has led us to follow a very detailed and structured methodology based on the OWASP Testing Guide for performing WAS Assessments. SecureState uses the mindset and methodology of a hacker in an attempt to exploit vulnerabilities and misconfigurations in the application. There is no better way to approach Web Application testing.

Did You Know?

  • A Grey Box WAS Assessment is a thorough assessment of the web application
  • Grey Box WAS Assessments are an important part of any SDLC
  • Grey Box WAS Assessments test for user roles, permissions and privilege escalation vulnerabilities
  • Web Application Assessments should be performed whenever there are code or infrastructure changes

Our Approach and Methodology

The SecureState Profiling Team are well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115, OWASP and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The SecureState Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.

Phase I – Pre-engagement Interactions:

In this phase, SecureState works with the client to establish the rules of engagement as well as the scope; and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. In addition, The Project Charter is discussed during the kickoff call prior to the beginning of the engagement. Lastly, SecureState requests two sets of credentials for each user role to be tested. For example, SecureState will test the roles of a standard user, as well as an administrator account during the Grey Box WAS Assessment.

Phase II – Information Gathering:

SecureState identifies application entry points, search engine reconnaissance, and analysis of error codes. Additionally, SecureState manually maps the application to collect session information as well as cookies and business logic information.

Phase III – Configuration Management Testing:

In this phase, SecureState tests for HTTP methods, SSL weaknesses, and infrastructure configuration management vulnerabilities.

Phase IV – Authentication Testing:

SecureState tests for user enumeration, brute force testing, and authentication bypass vulnerabilities.

Phase V - Session Management Testing:

In this phase, SecureState tests for session fixation, session variables, and testing for CSRF (Cross-Site Request Forgery).

Phase VI – Authorization Testing:

SecureState tests for Path Traversal, User Roles and Permissions Testing, and Privilage Escalation vulnerabilities.

Phase VII - Business Logic Testing:

SecureState manually looks at ways to bypass the business logic of the application. This can be as simple as parameter manipulation, or modifying the logic of the application via a web proxy.

Phase VIII – Data Validation Testing:

SecureState tests for XSS (Cross-Site Scripting), SQL Injection and other code injection flaws. As well as HTTP Response Splitting.

Phase IX - Other Testing if Applicable:

SecureState will test for specific vulnerabilities in heavy Ajax enabled applications. Additionally, per client request, SecureState will conduct Denial of Service testing. This type of testing is normally not conducted unless authorized by the client.

Phase X – Reporting:

As part of the deliverable, SecureState provides a report which contains a short graphical summary aimed at senior management, a narrative body which details major findings, and a detailed findings section aimed a technical staff. SecureState also provides a closing call and a high level executive presentation to summarize the testing; as well as provide an opportunity to ask questions about the engagement.

What Makes Us Different

  • Uses a team based approach for all Web Application Security Assessments
  • Utilizes proprietary Vulnerability Linkage Theory (VLT) to achieve a greater attack
  • Demonstrates proprietary tools to Clients during on site Web Application Security Assessments
  • Publishes our own Exploits, Zero Days and Tools to the Information Security Community
  • Profiling Team members are known as experts in Web Application Security Assessments worldwide
  • Contributed significantly to OWASP’s Web Application Testing Guide project
  • Profiling Team members are frequent speakers at National and world-wide security and hacking conferences; such as, DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
  • Conducts all external Web Application Security Assessments from our state-of-the-art hacking facility in SecureState’s world headquarters; a DOD cleared facility
  • Provides a secure two-factor authentication web portal for access to Web Application Security Assessment results
  • Follows industry standard testing methodologies, vulnerability rating systems and uses real attack data collected by SecureState through years of assessments in order to compare your company to your industry peers from a security perspective


We Can Help You