Enviar pesquisa
Carregar
Web application penetration testing
•
10 gostaram
•
2,337 visualizações
Imaginea
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 12
Recomendados
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
Web application security & Testing
Web application security & Testing
Deepu S Nath
Security testing
Security testing
Khizra Sammad
Web Application Security Testing
Web Application Security Testing
Marco Morana
Web Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
Broken access controls
Broken access controls
Akansha Kesharwani
Security testing fundamentals
Security testing fundamentals
Cygnet Infotech
Recomendados
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
Web application security & Testing
Web application security & Testing
Deepu S Nath
Security testing
Security testing
Khizra Sammad
Web Application Security Testing
Web Application Security Testing
Marco Morana
Web Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
Broken access controls
Broken access controls
Akansha Kesharwani
Security testing fundamentals
Security testing fundamentals
Cygnet Infotech
Application Security
Application Security
Reggie Niccolo Santos
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
Security testing
Security testing
Tabăra de Testare
Web application security
Web application security
Kapil Sharma
Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
Introduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
CSRF Basics
CSRF Basics
n|u - The Open Security Community
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
Secure coding practices
Secure coding practices
Mohammed Danish Amber
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
Cross Site Scripting
Cross Site Scripting
Ali Mattash
Understanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
Cross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
Click jacking
Click jacking
Ronan Dunne, CEH, SSCP
Security misconfiguration
Security misconfiguration
Micho Hayek
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
0xdec0de
Mais conteúdo relacionado
Mais procurados
Application Security
Application Security
Reggie Niccolo Santos
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
Security testing
Security testing
Tabăra de Testare
Web application security
Web application security
Kapil Sharma
Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
Introduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
CSRF Basics
CSRF Basics
n|u - The Open Security Community
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
Secure coding practices
Secure coding practices
Mohammed Danish Amber
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
Cross Site Scripting
Cross Site Scripting
Ali Mattash
Understanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
Cross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
Click jacking
Click jacking
Ronan Dunne, CEH, SSCP
Security misconfiguration
Security misconfiguration
Micho Hayek
Mais procurados
(20)
Application Security
Application Security
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
OWASP Top 10 - 2017
OWASP Top 10 - 2017
Security testing
Security testing
Web application security
Web application security
Web Application Penetration Testing
Web Application Penetration Testing
Introduction to penetration testing
Introduction to penetration testing
CSRF Basics
CSRF Basics
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Secure coding practices
Secure coding practices
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Cross Site Scripting
Cross Site Scripting
Understanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Cross Site Request Forgery
Cross Site Request Forgery
Click jacking
Click jacking
Security misconfiguration
Security misconfiguration
Destaque
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
0xdec0de
Vtb final
Vtb final
Samar Rahi
QA/Test Engineering Perspectives
QA/Test Engineering Perspectives
Roopesh Kohad
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
Rapid7
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
STRIDE And DREAD
STRIDE And DREAD
chuckbt
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
Web Application Security
Web Application Security
Abdul Wahid
Application Threat Modeling
Application Threat Modeling
Marco Morana
Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
E Marketing Powerpoint
E Marketing Powerpoint
PETITROBOT
Online Marketing Presentation
Online Marketing Presentation
Windhill Design
Web application attacks
Web application attacks
hruth
Online Marketing
Online Marketing
arpita singh
Emarketing ppt
Emarketing ppt
Ankitha2404
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
Destaque
(20)
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
Vtb final
Vtb final
QA/Test Engineering Perspectives
QA/Test Engineering Perspectives
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
STRIDE And DREAD
STRIDE And DREAD
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Web Application Security
Web Application Security
Application Threat Modeling
Application Threat Modeling
Penetration Testing Execution Phases
Penetration Testing Execution Phases
E Marketing Powerpoint
E Marketing Powerpoint
Online Marketing Presentation
Online Marketing Presentation
Web application attacks
Web application attacks
Online Marketing
Online Marketing
Emarketing ppt
Emarketing ppt
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Semelhante a Web application penetration testing
Network penetration testing
Network penetration testing
Imaginea
Novinky F5
Novinky F5
MarketingArrowECS_CZ
50357 a enu-module02
50357 a enu-module02
Bố Su
Pangolin Datasheet
Pangolin Datasheet
mattotamhe
Security best practices
Security best practices
AVEVA
Dave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
Super User or Super Threat?
Super User or Super Threat?
ObserveIT
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
OWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
Cyber ppt
Cyber ppt
karthik menon
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
Web 2.0 Hacking
Web 2.0 Hacking
blake101
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
SBWebinars
Intro to Force.com Webinar presentation
Intro to Force.com Webinar presentation
Developer Force - Force.com Community
Introduction to Force.com Webinar
Introduction to Force.com Webinar
Salesforce Developers
How websites are attacked
How websites are attacked
Mykonos Software
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
Semelhante a Web application penetration testing
(20)
Network penetration testing
Network penetration testing
Novinky F5
Novinky F5
50357 a enu-module02
50357 a enu-module02
Pangolin Datasheet
Pangolin Datasheet
Security best practices
Security best practices
Dave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
Super User or Super Threat?
Super User or Super Threat?
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
Secure SDLC for Software
Secure SDLC for Software
OWASP Top 10 Project
OWASP Top 10 Project
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Cyber ppt
Cyber ppt
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Web 2.0 Hacking
Web 2.0 Hacking
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
Intro to Force.com Webinar presentation
Intro to Force.com Webinar presentation
Introduction to Force.com Webinar
Introduction to Force.com Webinar
How websites are attacked
How websites are attacked
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Mais de Imaginea
Require JS
Require JS
Imaginea
Scala and lift
Scala and lift
Imaginea
Imaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Performance Engineering
Imaginea
Imaginea Service Sheet - Interaction Design
Imaginea Service Sheet - Interaction Design
Imaginea
Imaginea - SugarCRM iPhone App - User Guide
Imaginea - SugarCRM iPhone App - User Guide
Imaginea
Offline Enterprise and Web Apps: Dekoh Approach
Offline Enterprise and Web Apps: Dekoh Approach
Imaginea
Imaginea Scales Application using Amazon EC2
Imaginea Scales Application using Amazon EC2
Imaginea
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance Imaginea
Imaginea
Imaginea - Ideas to Life - About Us
Imaginea - Ideas to Life - About Us
Imaginea
Imaginea_CloudComputing_Services
Imaginea_CloudComputing_Services
Imaginea
Imaginea_Product Engineering_Services
Imaginea_Product Engineering_Services
Imaginea
Scaling Databases On The Cloud
Scaling Databases On The Cloud
Imaginea
Imaginea Cloud Offerings
Imaginea Cloud Offerings
Imaginea
Soa Offerings
Soa Offerings
Imaginea
Sharing on Dekoh - Our RIA Desktop Platform
Sharing on Dekoh - Our RIA Desktop Platform
Imaginea
Scaing databases on the cloud
Scaing databases on the cloud
Imaginea
Product QA - A test engineering perspective
Product QA - A test engineering perspective
Imaginea
Facebook Olympics
Facebook Olympics
Imaginea
Process Guidelines V2
Process Guidelines V2
Imaginea
Migrating to Cloud - A Step by Step
Migrating to Cloud - A Step by Step
Imaginea
Mais de Imaginea
(20)
Require JS
Require JS
Scala and lift
Scala and lift
Imaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Interaction Design
Imaginea Service Sheet - Interaction Design
Imaginea - SugarCRM iPhone App - User Guide
Imaginea - SugarCRM iPhone App - User Guide
Offline Enterprise and Web Apps: Dekoh Approach
Offline Enterprise and Web Apps: Dekoh Approach
Imaginea Scales Application using Amazon EC2
Imaginea Scales Application using Amazon EC2
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance Imaginea
Imaginea - Ideas to Life - About Us
Imaginea - Ideas to Life - About Us
Imaginea_CloudComputing_Services
Imaginea_CloudComputing_Services
Imaginea_Product Engineering_Services
Imaginea_Product Engineering_Services
Scaling Databases On The Cloud
Scaling Databases On The Cloud
Imaginea Cloud Offerings
Imaginea Cloud Offerings
Soa Offerings
Soa Offerings
Sharing on Dekoh - Our RIA Desktop Platform
Sharing on Dekoh - Our RIA Desktop Platform
Scaing databases on the cloud
Scaing databases on the cloud
Product QA - A test engineering perspective
Product QA - A test engineering perspective
Facebook Olympics
Facebook Olympics
Process Guidelines V2
Process Guidelines V2
Migrating to Cloud - A Step by Step
Migrating to Cloud - A Step by Step
Último
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Mark Goldstein
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
LoriGlavin3
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
LoriGlavin3
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Knoldus Inc.
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
Kari Kakkonen
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
LoriGlavin3
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
panagenda
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Nicole Novielli
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
fnnc6jmgwh
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
Manik S Magar
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
Farhan Tariq
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
itnewsafrica
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
Ingrid Airi González
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Kaya Weers
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
Último
(20)
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
Web application penetration testing
1.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Information Security Group (ISG) Web Application Penetration Testing reachus@imaginea.com
2.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Web Application Penetration Testing Overview Web Application Penetration Assessment looks from the perspective of a malicious hacker and finds the holes before they can be exploited. We rely on a detailed and well-established manual testing methodology for accuracy and effectiveness. Open source and commercial tools will be used to automate many routine security testing tasks.
3.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Penetration Testing Methodology Step 1 • Information Gathering Step 2 • Analysis and Planning Step 3 • Vulnerability Identification Step 4 • Exploitation Step 5 • Risk Analysis and Remediation Suggestion Step 6 • Reporting
4.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Information Gathering Template Information Required Data Application Name (Eg: LeanTaas) What is the type of the application? (Static / Dynamic / Applets / Web Services) Provide application URL What are all the application user roles? (Eg: User, Administrator, Manager) Is the application used by multiple clients? (Yes/No) If Yes, provide credentials for at least two clients Provide at least two sets of credentials for each user role Specify scope of the test (Internal application functionality and URLs to be tested) Provide application User Manual/ Help documents
5.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Analysis and Planning Analysis Verification of gathered template information Client communication for clarifications Understanding the application functionality Identification of critical application components and corresponding vulnerabilities to be tested Planning Test modularization based on functionality or vulnerability focus areas Plan for automation testing phase Plan for exploitation phase Plan for risk analysis and reporting phases Time estimates for each of the phases
6.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Focus Areas Authentication: Input Validation: Authentication Bypass Cross Site Scripting Poor Password Strength Cross Site Request Forgery No Account Lockout SQL Injection No Logout functionality Buffer Overflow File Upload Authorization: Code Injection Privilege Escalation Forceful Browsing Cryptography: Weak SSL Session Management: Weak Encryption Key Session Fixation Unencrypted Sensitive Data (Eg: Improper Session Expiration Passwords, Cookies) Session time out too long
7.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Focus Areas Information Leakage: System Configuration: Error Messages Default Passwords HTML Comments Default Pages Source Code Disclosure Default Error Messages Enabled Cross Frame Spoofing Unpatched Software Server Platform Info Leak HTTP Methods Enabled Sensitive Data Revealed Note: This is not exhaustive list of vulnerabilities. More vulnerabilities will be added to the list based on the technology/requirement/latest threats.
8.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Vulnerability Testing Phases Exhaustive manual penetration testing on the application and vulnerability focus areas Automatic scanning of application using tools and analysis of the results for false positives Identification of list of application vulnerabilities from manual and automation testing results Tools HTTP Proxy tool (Eg: Burp Suite tools, HTTPWatch, Tamper IE, Paros, WebScarab etc) Web Application Scanner(Eg: Burp Suite Scanner, Appscan, Web Inspect etc) Web Service Testing tool (SoapUI etc) SSL version and SSL key strength enumeration tools (Cygwin OpenSSL, Foundstone SSLDigger etc) Frameworks for exploitation (Metasploit, Core Impact etc) Note: More tools will be added to the list based on the technology or need or latest advancements.
9.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Exploitation Applicable attacks will be performed on the identified application vulnerabilities without causing much damage to the application resources and infrastructure. This phase helps to assess RISK of a vulnerability more accurately. Resources for exploitation Exploit frameworks (Metasploit, Core Impact etc) Open source scripts and tools Custom scripts (using Python, Perl etc)
10.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Risk Analysis and Remediation Suggestion Risk Analysis Estimation of the Likelihood of attack Estimation of the Impact of a successful attack Evaluate overall RISK of the vulnerability Risk = Likelihood * Impact OWASP Risk Rating Methodology is used as a guidance. Ref: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Remediation Suggestion Remediation measures will be suggested for each vulnerability identified. Priority for remediation will be suggested based on the risk rating of the vulnerability
11.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Report Template Brief summary of the Network Brief description of the application includes name, version, platform details and functionality etc. Network Security Summary report Brief description of the overall security status and the list of major security vulnerabilities identified. Vulnerability details for each identified vulnerability: Vulnerability Classification and Name Description of the vulnerability Vulnerability details Remediation Suggestions Vulnerability Risk Rating (Likelihood, Impact, Overall Risk)
12.
© Copyright 2011.
Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Security as a Service http://www.imaginea.com reachus@imaginea.com