| |
What is this service?
Hacking is the act of breaking into another system with or without the owner's knowledge. A penetration test is an in-depth information risk analysis exercise to assess the security of the systems from a hacker's perspective. Penetration testing is the process of inquisition and identifying security vulnerabilities in a network or system and the extent to which they might be exploited by outside parties. WSC Penetration Testing and Web Application testing service simulate a hacker or an attacker like environment to conduct the exercise so as to match the hacker's thought process. Penetration testing can be done both from the Internet and local area network depending on the placement and operational usage of the system.
Why is this services required?
The vulnerabilities are inevitable and pose a great risk to the operations and businesses if they are exploitable. By conducting penetration testing exercises, organizations can verify that existing and new applications, systems and networks are not vulnerable to security risks that could allow unauthorized access to the company resources. It examines a system's immunity to actual hacking methodologies and gives an excellent idea of the system's exploitable vulnerabilities. Hacking is not a technique but a "thought process", and hence the importance of conducting a simulated exercise of penetration testing periodically to counter the growing threat to organizational resources.
|
|
|
| Scope and Plan |
System Scan and Probe |
 |
The identification of scope for Penetration Testing |
|
Project planning and resourcing |
|
|
Scanning the systems under scope using automated scanners for open ports |
|
Scanning the systems to detect vulnerabilities |
|
IP addresses and/or hostnames collected during the previous stage are used |
|
| Creation of attack strategies |
Penetration Testing |
|
Prioritize the systems and attack methods based on the criticality and type of systems |
|
Scheduling of systems to be scanned and activities |
|
Selection of penetration testing tools based on vulnerabilities and ports detected in the second phase. |
|
Identification of exploits and scripts to be used. |
|
|
Exploitation of vulnerabilities using automated tools, both open source and commercial |
|
Skill and knowledge based exploitation of vulnerabilities using in-house developed scripts, exploits etc. |
|
Attacking methods involve service & data pilferage test, privilege escalation, buffer overflow types of attacks and denial of service etc. |
|
| Documentation |
Improvement |
|
Documentation of vulnerabilities, evidence of exploitations and recommendations on closing the vulnerabilities |
|
Comparison of vulnerabilities and penetration testing findings with previous activities if any. |
|
|
Assisting or performing the corrective action on closing the vulnerabilities |
|
Performing penetration testing exercise periodically and assisting in continued improvements. |
|
|
Web Application Penetration Test |
 |
Application discovery |
|
|
|
Data Mining |
|
|
|
Cryptography |
|
|
|
Database Listener |
|
|
|
Business Logic Testing |
|
| |
Malicious Input Checks
The single biggest security problem with web applications is the lack of proper input validation. This can lead to a number of attacks being launched against the web application. Some of these attacks include |
|
SQL Injection |
|
|
|
XML Insertion |
|
|
|
Cross-site scripting |
|
|
|
Null character and Meta character insertion |
|
| |
| Web Application Test |
|
HTML Code Analysis |
|
|
|
Weak Authentication and Authorization Schemes |
|
|
|
Account lockout and Password complexity |
|
|
|
Directory Traversal |
|
|
|
Session Management Testing |
|
|
|
Data Validation Testing |
|
|
|
DOS Testing |
|
| |
Few important tools
Core Impact
CORE IMPACT elevates the practice of penetration testing to new standards of quality required by today's organizations. The application provides you with a comprehensive framework within which to perform penetration tests and a controlled environment in which to execute them. CORE IMPACT allows the following |
|
Automate the penetration testing process |
|
|
|
Safely and efficiently determine how an attacker can gain control of your information assets |
|
|
|
Define and execute a repeatable testing methodology |
|
|
|
Increase team productivity |
|
|
|
Leverage security knowledge and expertise across tests |
|
| |
| Core Impact has been rated as the best penetration testing tool in the market. |
| |
SecPoint - Penetrator
The Penetrator is a vulnerability management and penetration testing appliance for the network, which comes pre-loaded and ready to go. It is a powerful and intelligent security assessment solution. The Penetrator is capable via the automatic crawl engine to find Cross Site Scripting, SQL Injection, website Errors |
| |
WAPT
Along with these commercial tools various open source and proprietary scripts are used in our WAPT service delivery |
| |
| Deliverables |
|
Penetration Testing Report : Consists of vulnerabilities, evidence of exploitation |
|
|
|
Improvement Roadmap : Consists of recommendations for eliminating the vulnerabilities and the security management roadmap. |
|
