The KEEP-IT-SECURE-24 Penetration Tests are executed by a team of highly qualified and certified security professionals.
Penetration Testing Activities are intended to validate security controls and identify potential and real vulnerabilities, using tools and methodologies similar to the potential attackers.
This table presents some of the activities we develop during the course of our activity:
Gathering of externally available information about the infra-structure (google dorking, dns, etc)
Scanning the network for available devices, services, and potential vulnerabilities
Analysis of potential vulnerabilities, identifying false positives, and exploitable vulnerabilities
Exploitation, proving the existence of the vulnerability
Attempting to obtain further privileges on the infrastructure
Collection of application information regarding entry-points, frameworks, versions and error codes
Test and identify: SSL/TLS, database access, infra-structure and application configurations, extension processing and handling, redundant, readable and downloadable files, available HTTP Methods
Test and identify: credentials transport over an encrypted channel, user enumeration, user guessing, authentication bypass, password reset, cache management, CAPTCHA, race conditions
Test and identify: Session Management Schema, cookies attributes, session fixation, CSRF
Test and identify: path traversal, authorization bypass, privilege escalation
Analysis and testing application business logic
Test and identify: XSS (reflected/stored/DOM), Cross Site Flashing, Injection flaws (SQL/LDAP/ORM/XML/SSI/Xpath/IMAP/SMTP/Code/OSCommands), buffer overflows, HTTP splitting / smuggling, HPP (HTTP Parameter Pollution)
Identify and test vulnerabilities that can cause Denial of Service as SQL wildcards, user account lockout, buffer overflows, user object allocation, user loop counter input, user data disk writing
Test and identify: WSDL, XML structures, XML content, HTTP GET/REST, SOAP attachments, replay
Test and identify vulnerabilities in AJAX
All identified vulnerabilities are reported through KEEP-IT-SECURE-24 platform enabling a flexible and interactive vulnerability resolution process.