A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilities. Web application security testing performed by Valency Networks is an entirely manual approach. This service basically answers questions such as "What is Web VAPT", "How web pentesting is carried out?". While we do use automated tools, in order to mimic the real life hackers, we perform testing manually using pre-validated and highly technical test cases, that follow OWASP Top 10 standard.

Exploit Categories

  • Web server exploits

  • Web service exploits

  • Authentication problems

  • Configuration problems

  • Database related problems

  • Scripting related problems

Standards Followed

  • OWASP Top 10 - 2014

  • NIST - CWE Standard

Vulnerabilities Detected

  • SQL Injection

  • Cross Site Scripting (XSS)

  • Cross Site Request Forgery (CSRF)

  • Forms Input Forgery

  • Code Inection

  • Cookie Poisioning

  • 400+ other vulnerabilities

Test Approaches

  • Black Box

  • Gray Box

Penetration Testing Services

Auth Bypass

Code Injection

Priviledge Escalation

Server MisConfig

Cookie Injection

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. As a best pentesting company we witness multiple scenarios while performing vulnerability assessment for our customers. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.
It was discovered that SQL Injection techniques can be used to fool the application into authenticating without the attacker needing valid credentials. SQL Injection vulnerabilities on login pages expose an application to unauthorized access and quite probably at the administrator level, thereby severely compromising the security of the application.
Applications require authentication for gaining access to private information. Not every authentication method is able to provide adequate security. A flaw in the application that allows users to access application resources without authentication is referred as? Authentication Bypass?. Authentication bypass vulnerability is generally caused when it is assumed that users will behave in a certain way and failing to foresee the consequences of users doing the unexpected.
Likelihood: Likelihood of authentication bypass exploit using forceful browsing technique or URL parameter tampering is ?High? as any normal internet user could launch this attack. Authentication Bypass using ?POST? parameter or session cookies tampering or SQL injection may require tools like web proxy and little knowledge on hacking techniques. Hence, Likelihood of vulnerability in this case may be rated as ?Medium/High?.
Impact: If an attacker could obtain sensitive personal data of a user, then impact of the vulnerability could be rated as ?High?. If an attacker could gain access only to static pages, then impact of the vulnerability could be rated as ?Medium?.

Read More

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.