Penetration Test

A penetration test, colloquially known as a pen test, is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system.[1][promotional or fringe source?] The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data,[2][3] as well as strengths,[4] enabling a full risk assessment to be completed.

PENETRATION TEST

Our penetration test steps

Firstly information is gathered such as:
-Target (URL/IP)
-Credentials (for Role Based Testing and Grey Box Testing)
-Any additional requirement customer might have.

Automated Scanners are run (Combination of Free and Paid Scanners)

Reports from Scanners Compiled and False Positives are Removed using a combination of automated and manual efforts

Extensive and In-Depth Manual Efforts to Include:
-Business Logic Coverage
-Role Based Testing (Horizontal and Vertical Privilege Escalation Tests)
-Business Critical Vulnerabilities like XSS, CSRF, SQL and HTML Injection, etc

Our Security Testing

About our security testing services

Our Security Testing Services include Penetration Testing and Vulnerability Assessment Services.
-Web Application
-Mobile Application
-Network

Combines advantages of traditional Testing Techniques
-Hybrid testing (Automated Scanners + Manual Testing)

Ensures convenience, speed, cost-saving and increased range.

TESTING METHODOLOGY

our Penetration Testing Methodology

Understand client requirements

Collect relevant target information.

Identifying assets and threats to the target.

Find flaws (Manual & Auto)

Gain access using the flaws discovered

Look for BL, RB and false negatives.

QC by experts and report to client.

Coverage Description

Because of the innovative hybrid approach to Pen Testing, the coverage is far superior than most available methods of info-sec in the market.

100% False Positive Removal

100% WASC II Coverage (49 Classes)

  • OWASP stands for Open Web Application Security Project
  • It is an online community which enables the availability of information such as documents, methodology, techniques, articles, and even technology in Web Application Security
  • e Top 10 are regularly updated and the goal is to identify and raise awareness about the most critical risks that an organization face

     

    OWASP Top 10 – 2017 (RC1)

    • Injection
    • Broken Authentication & Session management
    • Cross Site Scripting (XSS)
    • Broken Access Control
    • Security Misconfiguration
    • Sensitive Data Exposure
    • Insufficient Attack Protection
    • Cross-Site Request Forgery (CSRF)
    • Using Components with Known Vulnerabilities
    • Underprotected APIs
  • While conducting Security Assessment on an Information System, there are Security Threats that are identified which are ranked based on their criticality, occurrence, ease of exploit and significance
  • CWE stands for Common Weakness Enumeration and it compiles the Top 25 Most Dangerous and Critical Software Errors which can lead to serious vulnerabilities in Software
  • The Top 25 is a result of collaboration between SANS Institute, MITRE, and several Top Security Experts in the US and Europe
  • Top 25 are prioritized based on inputs from over 20 organizations, and each weakness was assessed based on its importance, ease of exploit and occurrence
  • Business Logic is the part of the application/program/software which encodes for different Business Rules
  • Such encoding ensures the determination of data creation, storage and data change
  • Flaws or irregularities in such encoding may result in certain Business Critical Vulnerabilities that remain undetected by Automated Scanners and require In-Depth Manual Exploitation

Business Logic Flaws

  • Price Tampering
  • Bypass Validation
  • Coupon Reuse
  • CAPTCHA Bypass
  • Negative amount transfer
  • Email Spoofing
  • Keys/Tokens Reuse
  • Order Out of Stock Item
  • Payment Gateway Bypass
  • Misuse Forget Password

Business Critical Vulnerability Detection

  • XSS, CSRF, SQL Injection, HTML Injection, etc

Role Based Testing (Horizontal and Vertical Privilege Escalation Test)

Close Menu