Tests of services and applications placed on the Internet

Why to test websites and web applications?

Web services and applications are frequent targets of hacking attacks. They can be commissioned by a dishonest competitor, but also by a disappointed partner or employee, or even carried out ‘for fun’ by young IT enthusiasts who do not realise the consequences of their actions.

Whether you use customised solutions or open-source systems, their security also depends on you.

If the website or application is integrated with an in-house system, e.g. ERP, an additional risk is the loss of data, know-how and infection of the LAN and other systems and computers or devices that reside there.

What do I get after the tests?

After testing, you will receive a report with identified areas for security improvement. All vulnerabilities found will be marked with a risk level (according to the Common Vulnerability Scoring System – CVSS) and flagged in the most popular standards (OVAL, CVE). The report will also include a list of warranty requests to existing suppliers, if any are identified.

CyberClue does not leave you with the report alone. We can also help you make all the necessary corrections and changes.

Common consequences of an attack on applications and web services.

All options lead to image damage and, in addition, can result in financial losses for both your company and your customers.

Interception of systems exposed to the Internet and connected to the LAN
Further penetration into the internal network by such systems
Attack on web applications made available to customers
Data theft

How do we carry out the tests?

The tests are carried out by certified CyberClue specialists and involve attempting to carry out a controlled, customer-safe but real-world attack on a website or web application. The aim is to determine their level of security, detect vulnerabilities (gaps that cybercriminals can exploit) and identify corrective actions to enhance security.

The scope, exact timing and permissible activities are discussed and defined in detail with the client to ensure business continuity and security throughout the process.

We perform tests based on various OWASP, OSSTMM and NIST methodologies, extended with elements developed by our experts.

Security testing of Internet services and applications, as required, can include:

Verification of web server configuration
Source code verification
Security check of CMS systems
Application of Google Hacking technique
Verification of the web server configuration: returned headers, used technologies with versions, available directories
Attempts to enumerate and break the security of user accounts – testing the randomness of the session ID, trying to detect the syntax of naming a session cookie, checking the security of the login form construction
SSL/TLS security level verification
Detection of application errors (SQL, XSS, CSFR)
An attempt to execute malicious code on the server
Attempted data theft
Checking the possibility of accessing important data without encryption
Checking the possibility of accessing the source codes of the software in use
Checking for uncontrolled access to files and directories (Path Traversal/LFI)
Checking for open redirection
Checking the possibility of “injecting” and opening external files via a URL (File Inclusion)
Checking for the presence of Response Splitting vulnerabilities

Types of tests performed:

1.

Blackbox

2.

Greybox

3.

Whitebox

The process of performing applications’ pentesting:

Planning and preparation in consultation with the client (obtaining consents and identifying critical resources)
Reconnaissance
• Passive collection of information
• Active scanning
• Analysis of publicly available code repositories and subdomains
Analysis of the application code*
API testing for OWASP API Security Top 10
Verification of applications for configuration and security errors
Manual verification of each detected vulnerability
Analysis and reporting (Report including Executive Summary can be provided in Polish, English or German)

As additional services we can offer:

Support in closing security gaps
Retest after the customer has closed the gaps
The report verification by a second auditor

* In the case of white box tests

Standards:

OWASP ASVS
OWASP WSTG
OWASP MSTG
OWASP MASVS

Penetration testing of web applications - sample scope*

Identification of software versions and updates
Review of vulnerability repositories to verify the existence of vulnerabilities for identified software versions
Vulnerability checking of application components
Verification of the authentication/authorisation mechanisms used
Security analysis of the application logic (confidentiality, integrity, availability)
Checking the security of the login panel against unauthorised access or attempts to gain access to the administration panel using user accounts with lower privileges
A sample of typical attacks for web applications and web services (OWASP TOP 10)
Verification of the security of application client sessions
Analysis of the application’s password policy and analysis of authentication methods
Attempt to bypass authentication mechanisms
Attempt to bypass authorisation mechanisms
Attempt to take over an authenticated user’s session
Attempt to escalate permissions within the application
Attempt to gain direct access to the hosting infrastructure (containerisation, operating system, database and other components associated with the application)
Analysis of the encryption of transmitted data used by the application, in terms of available/used algorithms
Security analysis of http headers
Examination of protection mechanisms against the introduction of malicious code
Analysis of the application’s error handling mechanism in terms of information disclosure
Checking input validation mechanisms
Verification of data protection mechanisms
Checking file resource protection mechanisms: checking the possibility of swapping files on application servers.

* Basic scope, recommended. The detailed scope is agreed individually, according to the needs and characteristics of the organisation.

Penetration testing of mobile applications - sample scope*

Reverse engineering and code decompilation
Identification of software versions and updates
Security of local data storage
Review of vulnerability repositories to verify the existence of vulnerabilities for identified software versions
Vulnerability checking of application components
Verification of the authentication/authorisation mechanisms used
Security analysis of the application logic (confidentiality, integrity, availability)
Checking the security of the login panel against unauthorised access or attempts to gain access to the administration panel using user accounts with lower privileges
A sample of typical attacks for mobile applications (OWASP Mobile TOP 10)
Verification of the security of application client sessions
Analysis of the application’s password policy and analysis of authentication methods
Attempting to bypass authentication and authorisation mechanisms
Attempt to take over an authenticated user’s session
Attempt to escalate permissions within the application
Attempt to gain direct access to the hosting infrastructure (containerisation, operating system, database and other components associated with the application)
Analysis of the encryption of transmitted data used by the application, in terms of available/used algorithms
Security analysis of http headers
Examination of protection mechanisms against the introduction of malicious code
Analysis of the application’s error handling mechanism in terms of information disclosure
Checking input validation mechanisms
Verification of data protection mechanisms
Checking file resource protection mechanisms: checking the possibility of swapping files on application servers.