Web Application Security Grey Box

SecureState attempts to combine multiple vulnerabilities to achieve full compromise, but with provided use cases, documentation, and credentials, we also assess business logic.

SecureState has been involved in testing Web Application Security (WAS) for most of our history. During that time, we have developed a customized manual testing methodology.


As applications become more dynamic and user friendly, the number of vulnerabilities left open by developers increases. This means your web application vulnerability management must be solid. SecureState has found that more than 90% of attacks are coming through the web application layer. Some industry regulations are even making web application security assessment reviews mandatory. The Payment Card Industry’s Data Security Standard makes it mandatory for companies to perform custom code assessments and/or install a web application firewall. Furthermore, if you are testing for business logic flaws, you must perform a Grey Box Web Application Security Assessment because manual methods are the only way to test for these types of flaws.


SecureState has been testing clients’ WAS for most of our history, and the Assessment remains one of our core services. We perform numerous Grey Box assessments for hundreds of clients. Our experience and expertise has led us to follow a very detailed and structured methodology based on the OWASP Testing Guide for performing WAS Assessments. SecureState uses the mindset and methodology of a hacker in an attempt to exploit vulnerabilities and misconfigurations in the application. There is no better way to approach Web Application testing.

Approach and Methodology

When testing an application, SecureState uses a web proxy to sit between the application and client browser. Using this tool, all submissions to the server get decrypted, and the tester is able to view the entire transmission, including hidden fields, cookies, and session IDs. This tool also allows the tester to create injection attacks and to modify data before sending the request to the server, thus bypassing client side validation.

The review will focus on the web application through normal browsing means (ports 80, 443) at the application level. The assessment will compare the client's assumptions with actual findings (i.e. user access rights) and Leading Practices. Included in this methodology is the use of the latest version of the OWASP Testing Guide as well as looking for vulnerabilities, design and configuration flaws from the OWASP Top Ten.

Once the assessment beings, SecureState identifies all application entry points, search engine reconnaissance, and analysis of error codes. Additionally, SecureState manually maps the application to collect session information as well as cookies and business logic information. All of the information needed for subsequent phases is obtained during this process.

SecureState tests for:
  • HTTP methods
  • TSL/SSL weaknesses
  • Infrastructure configuration management vulnerabilities
  • User enumeration
  • Brute force potential
  • Authentication bypass vulnerabilities
  • Session fixation and variables
  • Cross-site request forgery and path traversal
  • User roles and permissions
  • Privilege escalation vulnerabilities

SecureState then performs the actual tests to compromise security, exploiting any fields that allowed unverified data. During this section of the assessment, SQL Injection, XSS, HTTP response splitting, and other common attacks (noted in the OWASP Top Ten) are executed. 

Get Started!