Penetration testing are actions aimed at trying to hack the resource in order to identify ways and means of penetration for the further site security and protection implementation.

 

Competition in the modern world has reached a new level. Cyber espionage was available only to large companies before, but with technology development it has become available to small and medium businesses.

In this case, we are talking about companies commercial websites, online stores and web resources that generate income.

Site penetration testing is a complex approach to searching resource non-quality code, server software vulnerabilities identification, using which the web resource can be attacked and hacked.

There may be several motives for hacking: self-interest, destruction of the competitor, working for hire.

You have heard the news that the site was hacked and the credentials of hundreds of thousands of users were posted on the network. What does this mean for the site? Web resource has suffered a reputational damage; the company lost the clients trust. This could be avoided if the penetration test was run in time, the possibility of hacking was identified and measures for vulnerability elimination were fulfilled.

Attackers are divided into two types:

Mass attack

Attempting to access the maximum number of sites. Simple techniques of scanning and searching for vulnerabilities of popular CMS for a certain exploit are used. During the testing, parts of the vulnerable code will be identified, recommendations will ensure readiness to fight the attack.

Targeted attack

Attackers are aimed at obtaining specific data or vice versa their destruction. In this case, the hacker has a lot of ways to achieve the result, he will use all available methods of attack.

If you need testing for vulnerabilities Сontact us

    Penetration testing includes

    • Identification of server components vulnerabilities Server equipment scanning for software vulnerabilities
    • Searching for vulnerabilities of server web environment.
    • Checking the level of the web resource protection (firewall, application-level fire wall), attempts to exploit the vulnerabilities found, identification of bottlenecks
    • An attempt to execute arbitrary code remotely; Searching for the defects in the program code, testing the ability to execute arbitrary code.
    • Searching for the presence of injections (code injection); Attempts to inject attacking code in order to execute arbitrary potentially dangerous code.
    • Attempts to bypass the web resource authentication system; Analysis of the existing authorization system and searching for the ways to bypass it
    • Site testing for the "XSS" / "CSRF" vulnerabilities; Searching for the presence of defects in the program code, attempting to embed the code and to execute it. Depending on the vulnerabilities found, different goals can be pursued (data theft, resource discrediting, etc.)
    • Attempts to intercept session data of the privileged account; Evaluation of the possibility of obtaining administrative access to the resource being analyzed
    • Remote File Inclusion / Local File Inclusion execution; Searching for vulnerabilities of opening the files that contain confidential information on the server side. If such vulnerabilities are found - testing for remote file inclusion on the server side
    • Searching for components with known vulnerabilities; Analysis of resource architecture and search for well-known vulnerabilities
    • Detection of redirections to other sites; Search for open redirects (forgotten redirect that was previously available to developers.)
    • Searching for opportunities to obtain confidential and secret information