Website Penetration Testing


Exploiting website vulnerabilities is Number One problem in the world. This is solely because website are open to internet and hence can potentially expose sensitive data which interests the evil hackers

Websites are typically vulnerable to code based or network based attacks. This enables hackers to take over and control system components such as routers, firewalls, switches and servers and in worst cases, the website code. Even though the website is plain simple and static html based, it needs detailed pen-testing (VAPT testing), and is often forgotten by IT management.

Why Website Pentest Is Essential?

Web servers and the application code running on those as a simple website or web portal, are vulnerable to various attacks. In one type of attack, the hacker can simply deface the pages, while in other serious types, the attacker can potentially steal data and disrupt website operations. This is especially important in case of e-commerce based portals, wherein the entire business relies on website and its data contents. In case of recent trend the websites cater to mobile based applications which demands for an end to end testing for total app security. Its important to understand that merely having firewalls and Layer-7 devices are not enough because those cannot detect code level vulnerabilities, and hence a detailed website VAPT alongwith code security review is highly recommended.

Features

A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasses various security attack vectors and exploitation of potential vulnerabilities.

Exploit Categories

  • Web server exploits
  • Web service exploits
  • Authentication problems
  • Configuration problems
  • Database related problems
  • Scripting related problems

Standards Followed

  • OWASP Top 10 - 2014
  • NIST - CWE Standard

Vulnerabilities Detected

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Forms Input Forgery
  • Code Inection
  • Cookie Poisioning
  • 400+ other vulnerabilities

Test Approaches

  • Black Box
  • Gray Box

Process

We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matter.

Before Testing Starts

  • Sign NDA
  • Freeze on scope
  • Study Cloud App Architecture
  • Study Cloud User Roles
  • Decide attack vectors and prioritize
  • Allocate single point of contact

During Testing

  • Black box testing
  • Gray box testing
  • Automatic and Manual Testing
  • Testing Phases
  • Reconnaissance
  • Scanning
  • Gaining Access
  • Maintaining Access
  • Covering Tracks
  • Gathering Logs

After Testing

  • Analyse logs
  • Confirm results
  • Apply Knowledge
  • Apply Experience
  • Repeat Test if required

Testing Outcome

  • Detailed technical report (OWASP Top 10 Standard)
  • Executive summary
  • High level fixation solutions
  • Certificate of testing completion (optional)

Benefits

Security testing is a continuous improvement process to get benefited in terms of increasing ROI (Returns On Investment). Benefits of a pen-test are short term as well as long term.

Website VAPT Benefits

  • Secure website from hackers
  • Prevent information stealing
  • Prevent monetory loss
  • Prevent reputational loss
  • Induce confidence in customer
  • Increased ROI
  • Higher long term profits

Copyright © 2018 Aspire Tech, All rights reserved.