Network Penetration Test

Focused on the External/Internal perimeter as required by the Customer, SGBox can conduct a Penetration Test (black box and grey/white box approaches) of an infrastructure and all associated systems discovered. After identification of vulnerabilities, penetration testing will demonstrate the ability to gain unauthorized access to system resources and/or disrupt system services. Where SGBox identify high-risk vulnerabilities, the Customer’s designated point-of-contact will be immediately notified. All the vulnerabilities will be detailed in the final report of findings.
SGBox uses a range of security tools, both manual and automated, and a proprietary methodology to identify, validate and exploit security vulnerabilities. All ethical hacking testing activities are closely coordinated to help minimize negative impact to your systems. Throughout the engagement, the SGBox’s team will share results with authorized personnel to maximize information transfer and expedite the correction of security issues.

Network Mapping

Tests include a variety of reconnaissance activities to gather information about target network.

Service Enumeration

SGBox’s Team uses commercial and open-source tools to help identify security vulnerabilities in tested systems.

Vulnerability Verification

Our experts will confirm identified vulnerabilities to minimize false positives to the greatest extent possible.

Full Exploitation

Our staff will try to gain unauthorized access within the rules of engagement to demonstrate the risk posed.

Analysis & Reporting

Findings, impacts and recommendations will be reported with an attention to detail to mitigate the application/infrastructure vulnerabilities discovered.

Re-check Phase

An additional test could be done after the customer’s operational team have fixed main vulnerabilities.

Web Application Penetration Test

The objective is to protect confidential data by identifying weaknesses in the application layer controls. SGBox will conduct a rigorous review of application layer controls through functional security testing of the target application and prioritizing findings based on their impact to business operations.
Web Application Penetration testing (black box and grey/white box approach) is focused on the application layer of the target application, and may include other logical components (e.g., application server, database). The assessment includes an evaluation of input validation controls on all data passed from the client to the application. In addition to input validation testing, SGBox’s Team will assess application controls around the application’s access control mechanisms. We will also carry out checks against the configuration of the web server itself (to verify both hardening and patch management processes).
Attempts will be made to bypass the normal, or given, authentication process. In addition, we will attempt to bypass the session management capabilities and gain access to parts of the application normally not authorized for access. This is assessed by testing for adequate privilege separation. We will also attempt to manipulate or enumerate the backend database of the application, if any.

Injection Flaws

Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.

Authentication & Session Management

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.

Cross Site Scripting

XSS (reflected, stored, DOM) allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

Insecure Direct Object Reference

Occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

Security Misconfiguration

A secure configuration must be defined and deployed for the application, frameworks, application server, web server, database server, and platform. Additionally, software should be kept up to date.

Malicious File Execution

Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.

Information Leakage

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.

Insecure Cryptographic Storage

Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

Insecure Communications

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.