Web App Penetration Testing(VAPT)

Web App VAPT Consultancy

A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilities. Web application security testing performed by Valency Networks is an entirely manual approach. This service basically answers questions such as "What is Web VAPT", "How web pentesting is carried out?". While we do use automated tools, in order to mimic the real life hackers, we perform testing manually using pre-validated and highly technical test cases, that follow OWASP Top 10 standard.

Pentesting Exploit Categories

  • Web server exploits

  • Web service exploits

  • Authentication problems

  • Configuration problems

  • Database related problems

  • Scripting related problems

Vulnerabilities Detected

  • SQL Injection

  • Cross Site Scripting (XSS)

  • Cross Site Request Forgery (CSRF)

  • Forms Input Forgery

  • Code Inection

  • Cookie Poisioning

  • 400+ other vulnerabilities

VAPT Standards Followed

  • OWASP Top 10 - 2014

  • NIST - CWE Standard

VAPT Approaches

  • Black Box

  • Gray Box

  • White Box

Our experience & expertise in VAPT

For last 15 years Valency Networks' main focus had been in the area of IT security, IT performance and monitoring solutions, IT audit, compliance and governance. Valency Networks has catered more than 5000 Website applications globally. Our firm, aims in providing the quality-based and professional solutions to the customers to fill the technical and business improvement gaps. We are an award-winning cyber security company with a global customer base. Our customers endorse our service quality and technical abilities. Please check detailed services profile of the awarded top VAPT company.

Importance Of Manual Pentesting

At Valency Networks we emphasize more on Manual testing as it helps examine numerous test cases that are not tested by automated scanning tools. Automated testing executes only certain test cases but since it lacks the human intelligence it gives false-positive results. In manual testing we mimic the hackers' techniques to find vulnerabilities that not found on the surface level. Although automated testing takes less time, manual testing is better in preforming complex attacks such as Remote code injection, CSRF, LFI, Session hijacking, etc. Hence, we follow both automated and manual testing approach – To save time and examine test cases to provide accurate results.

Our Reporting features
Our VAPT report is different than others because it is not an outcome of a tool, but a combination of logs, tools output and manual Pen-testing efforts carried out. We provide a detailed report with accurate finding and solutions to fix the vulnerabilities reported. It contains the testing methodology carried out for the nature of VAPT conducted i.e., Web, Mobile, Network, Exe, etc. The executive summary provides the overall testing details like count of vulnerabilities, different test cases performed along with the fixation duration plan. For every vulnerability and its corresponding solution, we also provide reference links to help developers get clarity on the fixation steps.

Consultancy through Walk-Throughs
After the report is shared with the customer, we have a call with them to walk them through the entire report. In this walkthrough we explain the vulnerabilities found, along with its impact. We also use this call to cater the doubts or concerns that the customer might have regarding the reported vulnerabilities. End of the call we ensure customer team have got clarity and understood the fixation part if the vulnerability.

Hand-holding with customers to help them fix vulnerabilities
One of the things that we do that our customer appreciate us for, is technical hand-holding. After the testing is done, and the reports have been sent, we suggest customers to get on a call to get clarify on fixing the vulnerabilities reported. Most of the times since developers are not experienced and are not aware of the security fixations, we spare time in explaining them how to fix the vulnerabilities.
Once they have implemented the fixations, we perform a free retest for them to ensure their fixations have been implemented correctly and the vulnerability is closed. This process that we follow provides our customers assurance that they application is fixed for the vulnerabilities reported.

What Is Application Security Assessment?

With growing number and varieties of applications in the market, attackers have also become smart and are continuously finding brand new ways of exploiting the applications for their benefit. Hence, it becomes absolutely necessary to protect the application and implement security strategies that will secure the application from inside-out.
With the application security assessment, it becomes easy to test the application architecture, software code for underlying weaknesses and fix those before anyone else can take advantage of it. Based on our experience we find that a timely assessment of application can also help make the application comply with current and applicable compliance standards thus avoiding any data breached and future implications.
More info can be found on:
Steps of Penetration Testing

What Kind Of Security Is Needed For Web Services?

Web service is a medium by which a client can connect to the server on internet. The following must be implemented to secure the web services.

  • Confidentiality

  • Confidentiality in information security is about maintaining access to data to block unauthorized disclosure. Confidentiality is essential to prevent unauthorized access to data, to make sure that people without proper authorization are stopped from accessing important assets. by E-commerce apps store and maintain buyers’ data is and this data is stolen, it can cause significant harm. Credit card information, shipping information, contact information, and other personal information should be protected to prevent unauthorized access and data leakage.
  • Integrity

  • Integrity is about assuring that data can be trusted and has not been tampered with. It is necessary as it helps in preservation of the trustworthiness of data by holding it in the right form and immune to any inappropriate mutation. If the information has been tampered with or is not precise, it could denote a cyber-attack, vulnerability, or security incident. In FinTech companies, a sense of trust should be developed between a bank and its clients about financial information and account balances, ensuring that these credentials are genuine and have not been manipulated.
  • Availability

  • Availability ensures that networks, systems, and applications are up and operating. It makes sure that authorized users have timely, trustworthy access to resources when they are required. Multiple Organizations give high value to a website’s accessibility and responsiveness. Even a slight disruption in their website availability can result in revenue loss, consumer dissatisfaction, and reputational loss.
  • Authentication

  • All of the human-to-computer interactions that require the user to register and log in is user authentication. Authentication asks each user, “who are you?” and verifies their response. It aids in allowing access to valuable data only to those who are approved by the organization. User authentication is necessary as it ensures to keep unauthorized users away from sensitive information. Authentication protects organizations from potential data breaches.
  • Authorisation

  • Authorization is the process of providing someone the ability to access a resource. Authorization determines what permissions a user has after their identity has been verified through the authentication process. A user is prevented from accessing an account that isn’t theirs. They restrict free accounts from getting premium features. They ensure internal accounts only have access to what they need. It helps in preventing unauthorized transactions and fraud, protecting personal data and improvement of data quality through targeted data ownership.
  • Network Security

  • A procedure that involves taking preventative measures for protecting the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction or improper disclosure is network security. A sound network security system helps in reducing the risk of data loss, theft and sabotage. Network security is concerned with accuracy, confidentiality, and secure access to sensitive data. Good network security doesn’t only keep your network safe; it helps it run better. It aids in preventing security breaches and network threats like Man in the Middle (MiM) attack, ransomware Denial-of-Service attacks and network intrusions, and damage of intellectual property.
  • Non-repudiation

  • The assurance that the validity of something cannot be denied is non-repudiation. It provides proof of the origin and the integrity of the data and is a widely used legal concept in information security. Non-repudiation ensures that the authenticity and integrity of that message cannot be denied. Alice buys a cell phone for $300, writes and signs a paper cheque as payment. Later, she claims that the cheque is a forgery as she finds that she can't afford it. The signature guarantees that only Alice could have signed the cheque, and so her bank must pay the cheque. This is non-repudiation; Alice cannot repudiate the cheque.
  • Data Protection

  • Data protection refers to all the mechanisms and processes designed to protect an organization's data from compromise, loss, theft, and corruption. Organizations guard themselves and their customers against identity theft and phishing scams by implementing data protection. Data protection regulations guarantees the security of individuals’ personal data and helps in regulation of the collection, usage, transfer, and disclosure of the said data. Access to data of the individuals is provided and accountability measures are placed on organizations that process personal data and remedies for unauthorized and harmful processing are also supplemented. It aids in preventing data loss, theft, or corruption and can help to minimize damage caused in the event of a breach or disaster.
Detailed info can be found on:
Top 10 Web service security requirements

Major Web Application Security Attacks

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur.
As a best Pentesting company we witness multiple scenarios while performing vulnerability assessment for our customers. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users. More Knowledge: How to Prevent Authentication Bypass Attacks

Code Injection, or Remote Code Execution (RCE) refers to an attack where in an attacker is able to execute malicious code as a result of an injection attack. Code Injection differs from Command Injection since an attacker is confined to the limitations of the language executing the injected code. While its possible for an attacker to escalate an attack from Code Injection to execute arbitrary shell commands, its not always the case.
Typically, Code Injection occurs when an application evaluates code without validating it first. Code Injection refers to any means which allows an attacker to inject source code into a web application such that it is interpreted and executed. This does not apply to code injected into a client of the application, e.g., JavaScript, which instead falls under the domain of Cross-Site Scripting (XSS).

SQL injection vulnerabilities remain a headache for Web app developers, security professionals and database administrators. In a recent survey of 800 IT security pros and developers by the Ponemon Institute and app security firm Security Innovation, 42% of developers and 46% of security practitioners admitted SQL injection at the application layer had been exploited in a recent breach against their organizations. The responses made SQL injection the most-cited attack vector on a list that included cross-site scripting and privilege escalation. SQL injection attacks exploit non-validated user input to issue commands through an application to a back-end database. Finding the holes through which these attacks can be launched isn't all that difficult. One of the first things attackers like to do is to see how an application handles error. Another way to search for vulnerable sites is through Google hacking. Google hacking uses search engines to find security gaps by leveraging the mountains of data they index. An attacker might start by entering a search query called a Google Dork designed to locate results that could offer a clue about sites that might be vulnerable. There are a number of Google Dorks that can be useful for a hacker searching for a SQL injection vulnerability to exploit. More Knowledge: SQL Injection Vulnerabilities

Cross site Scripting (XSS) attacks are a type of script injection in which malicious scripts are injected into web sites forms. XSS vulnerability is the most common flaw in web applications. Cross site scripting attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
Attackers frequently use a variety of methods to encode the malicious portion of the tag, such as using Unicode, so the request is less suspicious looking to the user. There are multiple ways these attacks could be initiated. but the most common XSS attacks usually are in the form of embedded JavaScript. XSS issues can also be present in the underlying web and application servers as well. Most web and application servers generate simple web pages to display in the case of various errors, such as a 404 page not found or a 500 internal server error. More Knowledge: How To Protect From Cross Site Scripting Vulnerability Attack

A file upload vulnerability is when an application does not accept uploads directly from site visitors. Instead, a visitor can provide a URL on the web that the application will use to fetch a file. That file will be saved to disk in a publicly accessible directory. An attacker may then access that file, execute it and gain access to the site.
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. While file upload problems are found typically in php code and frameworks, other platforms exhibit those too. More Knowledge: File Upload Attack

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Typically a non-admin user would try to become an admin user, to gain more access than required. Privilege escalation has 2 types:
Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)
Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B) More Knowledge: Privilege Escalation Vulnerability

COOKIE INJECTION Cookies are an important feature of Web Applications and penetration testers must have a good understanding of Cookies from Security Point Of View . Once the tester has an understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance, the penetration tester must know how to test if they are secure.
If an attacker were able to acquire a session token by attacks such as cross site scripting or by sniffing an unencrypted session, then they could use this cookie to hijack a valid session. More Knowledge: How To Prevent Cookie Injection Attacks

SESSION VULNERABILITY Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session ID, making it possible to use an existent session ID.
The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a valid session ID and try to make the victim's browser use it. More Knowledge: Session Vulnerabilities

CSRF VULNERABILITY CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user.
Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will send a request to a second site, and the second site will mistakenly think that the user authorized the request. More Knowledge: CSRF (Cross Site Request Forging) Vulnerability

CREDENTIAL REUSE Users today have so many logins and passwords to remember that its tempting to reuse credentials here or there to make life a little easier. Even though security best practices universally recommend that you have unique passwords for all your applications and websites, many people still reuse their passwords which is a problem.
As a best pen testing company, we witness that once attackers have a collection of usernames and passwords from a breached website or service (easily acquired on any number of black market websites on the internet), they know that if they use these same credentials on other websites there's a chance they'll be able to log in. No matter how tempting it may be to reuse credentials for your email, bank account, and your favorite sports forum, it's possible that one day the forum will get hacked, giving an attacker easy access to your email and bank account. When it comes to credentials, variety is essential. Password managers are available and can be helpful when it comes to managing the various credentials you use. More Knowledge: "Plain text credentials vulnerability

Taking example of a PHP application - PHP is server side language so you can't just do a view source to see a script's code. But if something happens to Apache and all of a sudden your scripts are served as plain text, people see source code they were never meant to see. Some of that code might list accessible configuration files or have sensitive information like database credentials.
The solution centers around how you set up the directory structure for your application. That is, it isn't so much a problem that bad people can see some code, it's what code they can see if sensitive files are kept in a public directory. Keep important files out of the publicly-accessible directory to avoid the consequences of this blunder.

Remote file inclusion is when remote files get included in your application. This is because the remote file is untrusted. It could have been maliciously modified to contain code you don't want running in your application. Suppose you have a situation where your site at www.myplace.com includes the library www.goodpeople.com/script.php. One night, www.goodpeople.com is compromised and the contents of the file is replaced with evil code that will trash your application.
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. The perpetrator's goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain. The consequences of a successful RFI attack include information theft, compromised servers and a site takeover that allows for content modification. More Knowledge: How To Prevent Local Remote File Inclusion Attacks

Local file inclusion (LFI) is a vector that involves uploading malicious files to servers via web browsers. The two vectors are often referenced together in the context of file inclusion attacks. In both cases, a successful attack results in malware being uploaded to the targeted server. However, unlike RFI, LFI assaults aim to exploit insecure local file upload functions that fail to validate user-supplied/controlled input. As a result, malicious character uploads and directory/path traversal attacks are allowed for. Perpetrators can then directly upload malware to a compromised system, as opposed to retrieving it using a tempered external referencing function from a remote location.

Properly controlling access to web content is crucial for running a secure web server. Directory traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory. Web servers provide two main levels of security mechanisms Access Control Lists (ACLs) and Root directory.
An Access Control List is used in the authorization process. It is a list which the web server's administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights. With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. More Knowledge: Directory Listing Is Enabled Leading to Further Attacks

What Are The Strategies To Secure Web Applications?

With growing number of websites and easy access to internet, hacker's attack vector is also expanding. Hackers are becoming very advanced with their strategies and finding new ways of destruction. Hence, introducing web application security during early stages of development is important.
Following strategies can be adopted to ensure web security.

  • Perform risk analysis

    during early stages of product development. This helps finding out loopholes related to a particular component, be it web service, coding language, server etc and can be treated then and then.
  • Use secure coding practices

    while writing code. This reduces the chances of attacks due to use of wrong functions or wrong logic.
  • Do code review frequently.

    Ask your peers to assess your code. Also, opt for automated source code review tools in the market for more detailed analysis.
  • Perform VAPT for your application.

    Opt for manual and automated methods. This will give you an idea of all the vulnerabilities present in your application while it is actually running.

Typical Security Problems in Web Application

Being one of the best cyber security companies in India, Valency Networks has performed thousands of web application pentests. Each vulnerability assessment of the web applications helps us gain tremendeous knowledge and expertise which we occasionally share with the world as a give back to cyber security fraternity. Our findings showed us that even after so many years, the real challenges are as below.

  • Forgetting to sanitize user inputs

    Either due to unawareness or lack of knowledge, we see that many developers simply do not sanitize the user inputs. This leads to exposing the web app to attacks such as SQL Injection, cross site scripting, server side forgery etc. Valency Networks team performs walk-throughs of reports with the customer's technical team, to impart them with the required knowledge. Many times we end up training the resources so as to enable them in developing secure code.

  • Forgetting to test the application

    While entire focus is on development and functional testing, we see that many companies still do not perform VAPT, neither do they spend time or budget on ensuring that a pentesting is performed as a part of their CI/CD process in the software development life cycle (SDLC). Its imperative to find loopholes in a web app from a vendor or consultant company whose expertise is in the subject matter of cyber security, vulnerability assessmenr and penetration testing in general.

  • Selecting a good cyber security partner

    Many applications we tested, were found to be prone to vulnerabilities. This was despite the fact that those had undergone VAPT. The problem was that the VAPT was performed internally to save budget. As explained earlier, its important to have a 3rd party vendor perform VAPT of the web application. The selection of such a vendor needs to be based on the pentesting experts employed by that vapt company. You may want to read an article on our website which talks about Tips to select a correct VAPT vendor. Also read Typical Web Application Security Vulnerabilities Pentesting.

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.