As web services have become business critical components, it is very vital to improve their security. Many businesses define penetration testing as the web vulnerabilities scanners automatically operate the site, however, the true penetration testing is more than that. It needs sophistic skills and experience of the testers.
Web vulnerability scanners can detect weaknesses in a black-box way, and they are easy to use. There are various scanners to choose; organizations should select them based on their requirements and conditions. In this thesis, we study vulnerabilities in one web application named Virtual Environment Manager (VEM) of Tieto company. After scanning VEM with two scanners, 11 types of vulnerabilities are detected. Then, we exploit every vulnerability based on the application's source code, and also evaluate their severity levels. Finally, the solutions of remedying these vulnerabilities are provided. Because of some limitations, the security testing of the VEM is not fully implemented. For example, the cloud infrastructure is not detected. Still, this experiment contributes to security testing of VEM web application. We hope that this project can help Tieto company improve the security level of VEM.