Vulnerability Assessment and Penetration Testing or VAPT are two important processes which involve scanning of the network, detecting its risks or vulnerabilities and thereby mitigating the same through various systematic procedures. Vulnerability assessment analyses the security weaknesses in overall network and suggests the level up to which a network can be attacked by a malicious intruder. Accordingly a detailed report is generated and mitigation strategies are planned. VAPT is an essential step in security because it generates trust of the customer in an organization and certifies it as a secure service provider.

Web security testing services, also called as VAPT includes Vulnerability scan or vulnerability assessment, to find out known vulnerabilities in a system. Vulnerability assessment tools are used for assessment. They help identify the vulnerability but do not distinguish between flaws that can be exploited to cause damage and those that cannot. Scanning is done continuously, especially after new equipment is loaded. Vulnerability assessment focuses on:

  • Identifying potential vulnerabilities
  • Classifying vulnerabilities into High, Moderate, and Low risk vulnerabilities
  • Identifying assets connected to the network

Penetration tests also called pen test is an attempt to exploit the vulnerabilities in a system. This is done in the way that hackers use in order to exploit the system vulnerabilities. This is done at least once in a year. This helps us to determine whether unauthorized access or other malicious activity is possible into the system and also identify which flaws pose a threat to the application. The goal of a penetration test is to identifying actual risk. Pen test focuses on:

  • Identifying unknown vulnerabilities ? zero day?
  • Validating vulnerabilities by exploitation
  • Identifying additional vulnerabilities not identifiable or accessible by a vulnerability assessment

Website VAPT or Website vulnerability assessment and penetration testing is a step by step procedure to determine the security of the website by finding the vulnerabilities if any and taking appropriate actions against them. The security can be assessed from the point of view of an end user, an admin and from anonymous user. Some of the vulnerabilities that can be found out using website VAPT are:

SQL Injection : SQL injection is a web attack technique where the attacker makes an application runs the code which is not intended to. It is considered as a user input vulnerability. Hackers use this method to steal information from organizations. SQL Map is a tool which can be used to detect this attack.

Cross site scripting : Cross-site Scripting also called XSS or CSS are attacks that occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. It leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

Xpath Injection : XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.

Cookie poisoning :Cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft. The attacker may use the information to open new accounts or to gain access to the user's existing accounts.

Buffer overflow : A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.

Directory traversal/Unicode : Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

Improper error handling : Error messages can reveal implementation details that should never be revealed giving a hacker clues on potential flaws

Web Security Testing OWASP Top 10 Ratings

OWASP A1

Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws. Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.

OWASP A2

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

You may be vulnerable if:

  • User authentication credentials aren?t protected when stored using hashing or encryption.
  • Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
  • Session IDs are exposed in the URL (e.g., URL rewriting).
  • Session IDs are vulnerable to session fixation attacks.
  • Session IDs don?t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren?t properly invalidated during logout.
  • Session IDs aren?t rotated after successful login.
  • Passwords, session IDs, and other credentials are sent over unencrypted connections.

OWASP A3





XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are two different types of XSS flaws: 1) Stored and 2) Reflected, and each of these can occur on the a) Server or b) on the Client. Detection of most Server XSS flaws is fairly easy via testing or code analysis. Client XSS is very difficult to identify.

Attackers can execute scripts in a victim?s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user?s browser using malware, etc. Consider the business value of the affected system and all the data it processes. Also consider the business impact of public exposure of the vulnerability.

OWASP A4

Applications frequently use the actual name or key of an object when generating web pages. Applications don?t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.

To achieve this, consider:

For direct references to restricted resources, does the application fail to verify the user is authorized to access the exact resource they have requested?

If the reference is an indirect reference, does the mapping to the direct reference fail to limit the values to those authorized for the current user? Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.

OWASP A5



Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly.

The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time. Is your application missing the proper security hardening across any part of the application stack? Including:

  • Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries
  • Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)?
  • Are default accounts and their passwords still enabled and unchanged?
  • Does your error handling reveal stack traces or other overly informative error messages to users?
  • Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values? Without a concerted, repeatable application security configuration process, systems are at a higher risk.



Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.