Penetration Testing Services, Web Application Security Testing, Penetration Testing Tools

Home

Enquiry

Sitemap

Home ›› Consulting ›› Web Application Test & Penetration Test

What is this service?
Hacking is the act of breaking into another system with or without the owner’s knowledge. A penetration test is an in-depth information risk analysis exercise to assess the security of the systems from a hacker’s perspective. Penetration testing is the process of inquisition and identifying security vulnerabilities in a network or system and the extent to which they might be exploited by outside parties. Paramount Penetration Testing and Web Application testing service simulate a hacker or an attacker like environment to conduct the exercise so as to match the hacker’s thought process. Penetration testing can be done both from the Internet and local area network depending on the placement and operational usage of the system.

...............................................................................................................................................................................................................................................................................................................................

Why is this services required?
The vulnerabilities are inevitable and pose a great risk to the operations and businesses if they are exploitable. By conducting penetration testing exercises, organizations can verify that existing and new applications, systems and networks are not vulnerable to security risks that could allow unauthorized access to the company resources. It examines a system’s immunity to actual hacking methodologies and gives an excellent idea of the system’s exploitable vulnerabilities. Hacking is not a technique but a “thought process”, and hence the importance of conducting a simulated exercise of penetration testing periodically to counter the growing threat to organizational resources.

Pre-requisites from the client

IP Addresses or hostnames

Customer Benefits

Understand hacker mentality
Identify vulnerabilities that are exploitable
State of the art Penetration Testing Lab facility with certified ethical hackers

Top

Service Delivery Process
Penetration testing service is divided into two different types,

External Penetration testing
Internal Penetration testing

Both these exercises can be conducted with least information (black box) and also limited information (white box). The external penetration testing exercise is conducted from an external attacker’s perspective while the internal penetration testing exercise is conducted from an internal attacker’s point of view. Both involve extensive but similar testing techniques, procedures and steps that are discussed below.

Web Application Test and Penetration Testing Methodology

Web Application Test and Penetration Testing Methodology

Scope and Plan

The identification of scope for Penetration Testing
Project planning and resourcing

System Scan and Probe

Scanning the systems under scope using automated scanners for open ports
Scanning the systems to detect vulnerabilities
IP addresses and/or hostnames collected during the previous stage are used

Creation of attack strategies

Prioritize the systems and attack methods based on the criticality and type of systems
Scheduling of systems to be scanned and activities
Selection of penetration testing tools based on vulnerabilities and ports detected in the second phase.
Identification of exploits and scripts to be used.

Penetration Testing

Exploitation of vulnerabilities using automated tools, both open source and commercial
Skill and knowledge based exploitation of vulnerabilities using in-house developed scripts, exploits etc.
Attacking methods involve service & data pilferage test, privilege escalation, buffer overflow types of attacks and denial of service etc.

Documentation

Documentation of vulnerabilities, evidence of exploitations and recommendations on closing the vulnerabilities
Comparison of vulnerabilities and penetration testing findings with previous activities if any.

Improvement

Assisting or performing the corrective action on closing the vulnerabilities
Performing penetration testing exercise periodically and assisting in continued improvements.

Top

Web Application Penetration Test

Application discovery
Data Mining
Cryptography
Database Listener
Business Logic Testing

Malicious Input Checks
The single biggest security problem with web applications is the lack of proper input validation. This can lead to a number of attacks being launched against the web application. Some of these attacks include

SQL Injection
XML Insertion
Cross-site scripting
Null character and Meta character insertion

Web Application Test

HTML Code Analysis
Weak Authentication and Authorization Schemes
Account lockout and Password complexity
Directory Traversal
Session Management Testing
Data Validation Testing
DOS Testing

Few important tools
Core Impact
CORE IMPACT elevates the practice of penetration testing to new standards of quality required by today's organizations. The application provides you with a comprehensive framework within which to perform penetration tests and a controlled environment in which to execute them. CORE IMPACT allows the following

Automate the penetration testing process
Safely and efficiently determine how an attacker can gain control of your information assets
Define and execute a repeatable testing methodology
Increase team productivity
Leverage security knowledge and expertise across tests

Core Impact has been rated as the best penetration testing tool in the market.

SecPoint – Penetrator
The Penetrator is a vulnerability management and penetration testing appliance for the network, which comes pre-loaded and ready to go. It is a powerful and intelligent security assessment solution. The Penetrator is capable via the automatic crawl engine to find Cross Site Scripting, SQL Injection, website Errors

WAPT
Along with these commercial tools various open source and proprietary scripts are used in our WAPT service delivery

Deliverables

Penetration Testing Report : Consists of vulnerabilities, evidence of exploitation
Improvement Roadmap : Consists of recommendations for eliminating the vulnerabilities and the security management roadmap.

Top