Web Application Penetration Testing Process

Process

We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matter. We follow OWASP Top 10 standard to find and report vulnerabilities.

While performing the web application penetration testing, we follow an elaborate and technical checklist of attacks. It is called as Web server Security Attacks Checklist , and is updated regularly, as the attack vectors for web applications change over the period of time.

Before Testing Starts

  • Sign NDA

  • Freeze on scope

  • Study Cloud App Architecture

  • Study Cloud User Roles

  • Decide attack vectors and prioritize

  • Allocate single point of contact

During Testing

  • Black box testing

  • Gray box testing

  • Automatic and Manual Testing

  • Testing Phases

  • Reconnaissance

  • Scanning

  • Gaining Access

  • Maintaining Access

  • Covering Tracks

  • Gathering Logs

After Testing

  • Analyse logs

  • Confirm results

  • Apply Knowledge

  • Apply Experience

  • Repeat Test if required

Testing Outcome

  • Detailed technical report (OWASP Top 10 Standard)

  • Executive summary

  • High level fixation solutions

  • Certificate of testing completion (optional)

Penetration Testing Services

PHP SECURITY

Vulnerabilities in PHP can be in several different forms. The basic definition of vulnerability is some weakness in the system that allows someone to do something malicious to the system, which in this case is the web server. One form of vulnerability is via a poorly written PHP script by a user, which can be done by mistake or with malicious intent.

Another form is by not understanding all the various settings that can be used with PHP and thus the administrator of the web server does not implement settings which are necessary for security. There are other vulnerabilities that exist which can cause a denial of service to the user (crashing the web server, flooding the network with traffic to where it is unusable, etc.). The following identifies some examples of these vulnerabilities and gives a more detailed explanation of each type of vulnerability.

.NET SECURITY

Microsoft .NET Framework is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. Any system designed without considering security assessment leads to non compliance and may come under security threats.

Such systems are vulnerable to harmful attacks. The guide below will foster the strengthening of applications and mitigate the risk of probable attacks and reduce unauthorized activities.

JAVA SECURITY

One of the main design considerations for the Java platform is to provide a secure environment for executing mobile code. Java comes with its own unique set of security challenges. While the Java security architecture can protect users and systems from hostile programs downloaded over a network, it cannot defend against implementation bugs that occur in trusted code. Such bugs can inadvertently open the very holes that the security architecture was designed to contain, including access to files, printers, webcams, microphones, and the network from behind firewalls.

In severe cases local programs may be executed or Java security disabled. These bugs can potentially be used to turn the machine into a zombie computer, steal confidential data from machine and intranet, spy through attached devices, prevent useful operation of the machine, assist further attacks, and many other malicious activities. The choice of language system impacts the robustness of any software program. The Java language and virtual machine provide many features to mitigate common programming mistakes. The language is type-safe, and the runtime provides automatic memory management and bounds-checking on arrays.

JSCRIPT SECURITY

There have been several JavaScript security issues that have gained widespread attention. For one, the way JavaScript interacts with the DOM poses a risk for end users by enabling malicious actors to deliver scripts over the web and run them on client computers. There are two measures that can be taken to contain this JavaScript security risk.

First is sandboxing, or running scripts separately so that they can only access certain resources and perform specific tasks. The second measure is implementing the same origin policy, which prevents scripts from one site from accessing data that is used by scripts from other sites. Many JavaScript security vulnerabilities are the result of browser authors failing to take these measures to contain DOM-based JavaScript security risks.

JQUERY SECURITY



JQuery, the most popular JavaScript library, is a cross-platform library designed to simplify the client-side scripting of HTML and can be found on 65% of the top 10 million most visited websites. The advantages of using JQuery include the fact that it encourages the separation of JavaScript and HTML, that it promotes brevity and clarity, the elimination of cross-browser incompatibilities and the fact that it is extensible as new events, elements and methods can be easily added and subsequently reused. JQuery security vulnerabilities include cross site scripting (XSS) as well as ?JavaScript Hijacking.?




Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.