Web Vulnerabilities assessment
INFRASEG's team of ethical hackers will emulate an attack from the internet towards your web page, from multiple directions and concurrently and sequentially. Among others, you will look for:
- General status of the installed application.
- Review of file and directory permissions.
- External review of the server where the website is installed and if it has the minimum security requirements in the software configuration and protocols.
- Detection of malware installed in the application that may cause functional or reputational problems for the organization.
Following this, a series of reconnaissance analyzes are carried out that consist of the following activities:
- General Browsing: In a first stage, a general navigation will be carried out, as any common user would do, in order to identify possible points of interest and validate the flows to be analyzed.
- Form Search: Once the points of interest have been identified, all the vectors of interaction with the user or information input within the flows defined in the scope will be identified.
- Among other activities defined by the experience of the team and the OWASP Testing Methodology Guide
Once the above is completed, a series of tests will be carried out, using commercial and open source tools, in order to violate the application to be evaluated. Here are some of the tests to perform in the application:
- Manipulación de parámetros en URL y Encabezados
- Cross-Site Scripting
- SQL Injection
- Análisis de Manejo de Sesiones (colisión, entropía, seguridad)
- Reverse Directory Transversal
- Implementación y Uso de Protocolos Seguros (SSL-TLS)
- Pruebas de CSRF, CSIO.
- Ataques de Tipo Redirect
- Manipulación de Campos Escondidos
- Chequeo de Vulnerabilidades Conocidas
- Chequeo de Archivos Comunes y Descarga de Contenido (sin autenticar)
- Ataques de Tipo XML.
In this service, INFRASEG consultants position themselves outside your infrastructure and start an attack on different targets that allow us to access internal resources or only affect the availability of customer services. This service simulates what a cybercriminal would do standing on the external perimeter of their platforms. The most common is to check the website, Wi-Fi networks and any part of the infrastructure exposed to the Internet.
In this service, INFRASEG consultants position themselves inside your infrastructure and begin to analyze the environment to then carry out an attack to escalate privileges and/or obtain or "listen" information from the internal network. The purpose of our internal pentesting is to try to become super users of the platforms that we find. This service simulates an insider who can be a disgruntled employee or someone who was deliberately contacted to steal information in exchange for money or extortion.
Certainly an insider can do much more damage than many cybercriminals from the external perimeter, since they have knowledge, institution applications, credentials and permissions that are difficult to obtain from outside.
Among others we are looking for:
- Unpatched servers and devices
- Shared folders
- Insecure internal Wi-Fi
- Generic users
- Misuse of passwords
- Test operation of internal systems (IDS/IPS)
- Sending sensitive information abroad, examples:
- Credit card numbers
- Customer information
- Confidential documents
INFRASEG's team of ethical hackers will emulate an attack from the internet towards the web portal, from multiple directions and concurrently and sequentially. Among others, you will look for: