Web App VAPT Consultancy
A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilities. Web application security testing performed by Valency Networks is an entirely manual approach. This service basically answers questions such as "What is Web VAPT", "How web pentesting is carried out?". While we do use automated tools, in order to mimic the real life hackers, we perform testing manually using pre-validated and highly technical test cases, that follow OWASP Top 10 standard.
For last 15 years Valency Networks' main focus had been in the area of IT security, IT performance and monitoring solutions, IT audit, compliance and governance. Valency Networks has catered more than 5000 Website applications globally. Our firm, aims in providing the quality-based and professional solutions to the customers to fill the technical and business improvement gaps. We are an award-winning cyber security company with a global customer base. Our customers endorse our service quality and technical abilities. Please check detailed services profile of the awarded top VAPT company.
At Valency Networks we emphasize more on Manual testing as it helps examine numerous test cases that are not tested by automated scanning tools. Automated testing executes only certain test cases but since it lacks the human intelligence it gives false-positive results. In manual testing we mimic the hackers' techniques to find vulnerabilities that not found on the surface level. Although automated testing takes less time, manual testing is better in preforming complex attacks such as Remote code injection, CSRF, LFI, Session hijacking, etc. Hence, we follow both automated and manual testing approach – To save time and examine test cases to provide accurate results.
Our Reporting features
Our VAPT report is different than others because it is not an outcome of a tool, but a combination of logs, tools output and manual Pen-testing efforts carried out. We provide a detailed report with accurate finding and solutions to fix the vulnerabilities reported. It contains the testing methodology carried out for the nature of VAPT conducted i.e., Web, Mobile, Network, Exe, etc. The executive summary provides the overall testing details like count of vulnerabilities, different test cases performed along with the fixation duration plan. For every vulnerability and its corresponding solution, we also provide reference links to help developers get clarity on the fixation steps.
Consultancy through Walk-Throughs
After the report is shared with the customer, we have a call with them to walk them through the entire report. In this walkthrough we explain the vulnerabilities found, along with its impact. We also use this call to cater the doubts or concerns that the customer might have regarding the reported vulnerabilities. End of the call we ensure customer team have got clarity and understood the fixation part if the vulnerability.
Hand-holding with customers to help them fix vulnerabilities
One of the things that we do that our customer appreciate us for, is technical hand-holding. After the testing is done, and the reports have been sent, we suggest customers to get on a call to get clarify on fixing the vulnerabilities reported. Most of the times since developers are not experienced and are not aware of the security fixations, we spare time in explaining them how to fix the vulnerabilities.
Once they have implemented the fixations, we perform a free retest for them to ensure their fixations have been implemented correctly and the vulnerability is closed. This process that we follow provides our customers assurance that they application is fixed for the vulnerabilities reported.
With growing number and varieties of applications in the market, attackers have also become smart and are continuously finding brand new ways of exploiting the applications for their benefit. Hence, it becomes absolutely necessary to protect the application and implement security strategies that will secure the application from inside-out.
With the application security assessment, it becomes easy to test the application architecture, software code for underlying weaknesses and fix those before anyone else can take advantage of it. Based on our experience we find that a timely assessment of application can also help make the application comply with current and applicable compliance standards thus avoiding any data breached and future implications.
More info can be found on:
Steps of Penetration Testing
Web service is a medium by which a client can connect to the server on internet. The following must be implemented to secure the web services.
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur.
As a best Pentesting company we witness multiple scenarios while performing vulnerability assessment for our customers. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users. More Knowledge: How to Prevent Authentication Bypass Attacks
Code Injection, or Remote Code Execution (RCE) refers to an attack where in an attacker is able to execute malicious code as a result of an injection attack. Code Injection differs from Command Injection since an attacker is confined to the limitations of the language executing the injected code. While its possible for an attacker to escalate an attack from Code Injection to execute arbitrary shell commands, its not always the case.
SQL injection vulnerabilities remain a headache for Web app developers, security professionals and database administrators. In a recent survey of 800 IT security pros and developers by the Ponemon Institute and app security firm Security Innovation, 42% of developers and 46% of security practitioners admitted SQL injection at the application layer had been exploited in a recent breach against their organizations. The responses made SQL injection the most-cited attack vector on a list that included cross-site scripting and privilege escalation. SQL injection attacks exploit non-validated user input to issue commands through an application to a back-end database. Finding the holes through which these attacks can be launched isn't all that difficult. One of the first things attackers like to do is to see how an application handles error. Another way to search for vulnerable sites is through Google hacking. Google hacking uses search engines to find security gaps by leveraging the mountains of data they index. An attacker might start by entering a search query called a Google Dork designed to locate results that could offer a clue about sites that might be vulnerable. There are a number of Google Dorks that can be useful for a hacker searching for a SQL injection vulnerability to exploit. More Knowledge: SQL Injection Vulnerabilities
Cross site Scripting (XSS) attacks are a type of script injection in which malicious scripts are injected into web sites forms. XSS vulnerability is the most common flaw in web applications. Cross site scripting attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
FILE UPLOAD VULNERABILITIES
A file upload vulnerability is when an application does not accept uploads directly from site visitors. Instead, a visitor can provide a URL on the web that the application will use to fetch a file. That file will be saved to disk in a publicly accessible directory. An attacker may then access that file, execute it and gain access to the site.
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. While file upload problems are found typically in php code and frameworks, other platforms exhibit those too. More Knowledge: File Upload Attack
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Typically a non-admin user would try to become an admin user, to gain more access than required. Privilege escalation has 2 types:
Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)
Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B) More Knowledge: Privilege Escalation Vulnerability
COOKIE INJECTION Cookies are an important feature of Web Applications and penetration testers must have a good understanding of Cookies from Security Point Of View . Once the tester has an understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance, the penetration tester must know how to test if they are secure.
If an attacker were able to acquire a session token by attacks such as cross site scripting or by sniffing an unencrypted session, then they could use this cookie to hijack a valid session. More Knowledge: How To Prevent Cookie Injection Attacks
SESSION VULNERABILITY Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn't assign a new session ID, making it possible to use an existent session ID.
The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a valid session ID and try to make the victim's browser use it. More Knowledge: Session Vulnerabilities
CSRF VULNERABILITY CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user.
Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will send a request to a second site, and the second site will mistakenly think that the user authorized the request. More Knowledge: CSRF (Cross Site Request Forging) Vulnerability
CREDENTIAL REUSE Users today have so many logins and passwords to remember that its tempting to reuse credentials here or there to make life a little easier. Even though security best practices universally recommend that you have unique passwords for all your applications and websites, many people still reuse their passwords which is a problem.
As a best pen testing company, we witness that once attackers have a collection of usernames and passwords from a breached website or service (easily acquired on any number of black market websites on the internet), they know that if they use these same credentials on other websites there's a chance they'll be able to log in. No matter how tempting it may be to reuse credentials for your email, bank account, and your favorite sports forum, it's possible that one day the forum will get hacked, giving an attacker easy access to your email and bank account. When it comes to credentials, variety is essential. Password managers are available and can be helpful when it comes to managing the various credentials you use. More Knowledge: "Plain text credentials vulnerability
SOURCE CODE REVELATION
Taking example of a PHP application - PHP is server side language so you can't just do a view source to see a script's code. But if something happens to Apache and all of a sudden your scripts are served as plain text, people see source code they were never meant to see. Some of that code might list accessible configuration files or have sensitive information like database credentials.
The solution centers around how you set up the directory structure for your application. That is, it isn't so much a problem that bad people can see some code, it's what code they can see if sensitive files are kept in a public directory. Keep important files out of the publicly-accessible directory to avoid the consequences of this blunder.
Remote file inclusion is when remote files get included in your application. This is because the remote file is untrusted. It could have been maliciously modified to contain code you don't want running in your application. Suppose you have a situation where your site at www.myplace.com includes the library www.goodpeople.com/script.php. One night, www.goodpeople.com is compromised and the contents of the file is replaced with evil code that will trash your application.
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. The perpetrator's goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain. The consequences of a successful RFI attack include information theft, compromised servers and a site takeover that allows for content modification. More Knowledge: How To Prevent Local Remote File Inclusion Attacks
Local file inclusion (LFI) is a vector that involves uploading malicious files to servers via web browsers. The two vectors are often referenced together in the context of file inclusion attacks. In both cases, a successful attack results in malware being uploaded to the targeted server. However, unlike RFI, LFI assaults aim to exploit insecure local file upload functions that fail to validate user-supplied/controlled input. As a result, malicious character uploads and directory/path traversal attacks are allowed for. Perpetrators can then directly upload malware to a compromised system, as opposed to retrieving it using a tempered external referencing function from a remote location.
Properly controlling access to web content is crucial for running a secure web server. Directory traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory. Web servers provide two main levels of security mechanisms Access Control Lists (ACLs) and Root directory.
An Access Control List is used in the authorization process. It is a list which the web server's administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights. With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. More Knowledge: Directory Listing Is Enabled Leading to Further Attacks
With growing number of websites and easy access to internet, hacker's attack vector is also expanding. Hackers are becoming very advanced with their strategies and finding new ways of destruction. Hence, introducing web application security during early stages of development is important.
Following strategies can be adopted to ensure web security.
Being one of the best cyber security companies in India, Valency Networks has performed thousands of web application pentests. Each vulnerability assessment of the web applications helps us gain tremendeous knowledge and expertise which we occasionally share with the world as a give back to cyber security fraternity. Our findings showed us that even after so many years, the real challenges are as below.
Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.