Identify Vulnerabilities Before Hackers Do
Focused on the External/Internal perimeter as required by the Customer, SGBox can conduct a Penetration Test (black box and grey/white box approaches) of an infrastructure and all associated systems discovered. After identification of vulnerabilities, penetration testing will demonstrate the ability to gain unauthorized access to system resources and/or disrupt system services. Where SGBox identify high-risk vulnerabilities, the Customer’s designated point-of-contact will be immediately notified. All the vulnerabilities will be detailed in the final report of findings.
Tests include a variety of reconnaissance activities to gather information about target network.
SGBox’s Team uses commercial and open-source tools to help identify security vulnerabilities in tested systems.
Our experts will confirm identified vulnerabilities to minimize false positives to the greatest extent possible.
Our staff will try to gain unauthorized access within the rules of engagement to demonstrate the risk posed.
Analysis & Reporting
Findings, impacts and recommendations will be reported with an attention to detail to mitigate the application/infrastructure vulnerabilities discovered.
An additional test could be done after the customer’s operational team have fixed main vulnerabilities.
Web Application Penetration Test
The objective is to protect confidential data by identifying weaknesses in the application layer controls. SGBox will conduct a rigorous review of application layer controls through functional security testing of the target application and prioritizing findings based on their impact to business operations.
Web Application Penetration testing (black box and grey/white box approach) is focused on the application layer of the target application, and may include other logical components (e.g., application server, database). The assessment includes an evaluation of input validation controls on all data passed from the client to the application. In addition to input validation testing, SGBox’s Team will assess application controls around the application’s access control mechanisms. We will also carry out checks against the configuration of the web server itself (to verify both hardening and patch management processes).
Attempts will be made to bypass the normal, or given, authentication process. In addition, we will attempt to bypass the session management capabilities and gain access to parts of the application normally not authorized for access. This is assessed by testing for adequate privilege separation. We will also attempt to manipulate or enumerate the backend database of the application, if any.
Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
Authentication & Session Management
Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.
Cross Site Scripting
XSS (reflected, stored, DOM) allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Insecure Direct Object Reference
Occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
A secure configuration must be defined and deployed for the application, frameworks, application server, web server, database server, and platform. Additionally, software should be kept up to date.
Malicious File Execution
Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
Insecure Cryptographic Storage
Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
Contact us Today!
If you’re interested in learning how SGBox Professional Services can help secure your data
and keep your organization safe and compliant, contact us right now.
We’d be proud to show you what we can do.