Web Application Penetration Testing

1. https://www.briskinfosec.com Briskinfosec Technology and Consulting Pvt Ltd Mobile: 8608634123 https://www.briskinfosec.com https://www.facebook.com/briskinfosec https://twitter.com/briskinfosec Mobile applications penetration testing

2. https://www.briskinfosec.com Web application penetration testing It can be your showcase site, your e-commerce site such as Shop or Magento, or any other web application: they all contribute to the public exposure of part of your information system. This can put you at risk in terms of IT security or brand image. By operating an intrusion test service on these platforms, we seek to understand their functioning and the integrated mechanisms to detect potential faults, leading to vulnerabilities. The objective of this type of audit is to assess the robustness of your web application against the following threats: ✓Theft of sensitive or confidential information ✓Data corruption ✓Authentication Bypass ✓Bounce attack on your internal network ✓Privilege elevation (lateral and horizontal movement) ✓Identity theft ✓Specific business scenarios By systematically establishing teams of two pen testers for each audit, the chances of discovering the security flaws of your perimeter that interests you are increased by sharing the experience and way of thinking of two auditors. Context and prerequisites A web application penetration testing can be affected in different contexts, depending on the nature of the threats you want to assess.

3. https://www.briskinfosec.com Black Box The black box penetration testing makes it possible to assess the threats linked to an attacker having access to the application, but not having an account on it. We therefore seek to reproduce the behaviour of an attacker who discovers the application, without any additional information. Gray Box The Gray box penetration testing is used to assess threats related to an attacker with an administrator account with elevated privileges on the application. We therefore seek to reproduce the behaviour of a user of the application, or of an attacker who has stolen a user's access. White Box Finally, the white box penetration testing makes it possible to evaluate the threats linked to an attacker possessing a user account with standard privileges on the application. It may also include specific knowledge about the operation of the application or its architecture. We are therefore seeking to reproduce the behaviour of an application administrator, or of an attacker who has stolen an administrator's access. The common prerequisite is therefore to be able to access the. If it is not publicly exposed, you can add our IP addresses to an access control list, we can go through a means of rebound (VPN, Citrix, RDP...) or move to your premises. Web application penetration testing process The process of our audits and intrusion tests is based on the PTES (Penetration Testing Execution Standard) and aims to conduct an audit in the optimization of the time allocated. In addition, we respect the perimeter that you impose on us, whether in terms of targets, time range, or type of attacks.

4. https://www.briskinfosec.com ✓We start with a reconnaissance and enumeration phase, during which we collect as much infor- mation as possible about the application and its entry points. For recognition, we may need to use Google Dorks, open service referencing engines such as Censys and Shodan, standard net- work protocols and tools (who is, dig), as well as the discovery of any sub-domains. For finger- printing, we use the well-known Nmap tool for port scans, but also other tools and scripts of our design to speed up this step. We seek to identify the technologies that make the through their footprint (CMS type WordPress, Joomla, Drupal, Liferay, Magento, shop...), the building blocks (Apache, IIS, nginx, Tomcat...) and the programming languages (Java, PHP, etc.). ✓Once in possession of a synthetic map of the services open on the machine and a better knowledge of the operation of the web application, we seek to unearth the vulnerabilities that may be found there. This is the phase that requires the most expertise, because two auditors can find different faults depending on their area of expertise. Well-known tools such as Burp Suite allow us to manipulate the content of requests and cause operation not intended by the developers of the application, which may reveal vulnerabilities. We will implement techniques to try to discover and exploit SQL injections, Cross-Site Scripting vulnerabilities, Cross-Site Re- quest Forgery. ✓At the end of the audit, we take a moment to discuss the main results with you. The idea is to give you a synthetic vision of the main risks that weigh on the web application: what are the main impacts of the discovered vulnerabilities on the security of your data and your infrastruc- ture, the level required for the attacker and the complexity attacks to conduct. We then contin- ue with the writing of the report. ✓Once the report has reached you, we plan a return of the results together. The objective of this step is to present both a managerial vision of the audit results, but also a detailed technical vi- sion. Therefore, we encourage you to invite your technical teams to this exchange, so that they

5. https://www.briskinfosec.com are informed of the security flaws and the corrective actions that we recommend correcting them. Of course, the auditors remain at your disposal even after the restitution, by email or by telephone, to answer your questions or advise you on the implementation of corrective actions. We aim to establish a relationship of trust as well as long-term support. Reports Our reports are composed of a managerial summary, which allows us to approach the results through a risk- based approach. Then comes the technical detail, in which all the faults detailed. The operating mode used to exploit a fault, with screenshots, if necessary, as well as the scripts and exploitation codes that we could have developed for a specific vulnerability.