What is Vulnerability assessment and penetration testing (VAPT)?
Vulnerability Assessment and Penetration Testing or VAPT are two important processes which involve scanning of the network, detecting its risks or vulnerabilities and thereby mitigating the same through various systematic procedures. Vulnerability assessment analyses the security weaknesses in overall network and suggests the level up to which a network can be attacked by a malicious intruder. Accordingly a detailed report is generated and mitigation strategies are planned.
VAPT is an essential step in security because it generates trust of the customer in an organization and certifies it as a secure service provider.
Difference between vulnerability scan & penetration testing?
Vulnerability scan or vulnerability assessment is done to find out known vulnerabilities in a system. Vulnerability assessment tools are used for assessment. They help identify the vulnerability but do not distinguish between flaws that can be exploited to cause damage and those that cannot. Scanning is done continuously, especially after new equipment is loaded. Vulnerability assessment focuses on:
Identifying potential vulnerabilities
Classifying vulnerabilities into High, Moderate, and Low risk vulnerabilities
Identifying assets connected to the network
Penetration tests also called pen test is an attempt to exploit the vulnerabilities in a system. This is done in the way that hackers use in order to exploit the system vulnerabilities. This is done at least once in a year. This helps us to determine whether unauthorized access or other malicious activity is possible into the system and also identify which flaws pose a threat to the application. The goal of a penetration test is to identifying actual risk. Pen test focuses on:
Identifying unknown vulnerabilities “zero day”
Validating vulnerabilities by exploitation
Identifying additional vulnerabilities not identifiable or accessible by a vulnerability assessment
Examples of what could be found out in a website VAPT?
Website VAPT or Website vulnerability assessment and penetration testing is a step by step procedure to determine the security of the website by finding the vulnerabilities if any and taking appropriate actions against them. The security can be assessed from the point of view of an end user, an admin and from anonymous user.
Some of the vulnerabilities that can be found out using website VAPT are:
SQL injection is a web attack technique where the attacker makes an application runs the code which is not intended to. It is considered as a user input vulnerability. Hackers use this method to steal information from organizations. SQL Map is a tool which can be used to detect this attack.
Cross site scripting
Cross-site Scripting also called XSS or CSS are attacks that occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. It leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
Cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft. The attacker may use the information to open new accounts or to gain access to the user's existing accounts.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Improper error handling
Error messages can reveal implementation details that should never be revealed giving a hacker clues on potential flaws
Penetration Testing Services
A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilities
We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matter.
Security testing is a continuous improvement process to get benefited in terms of increasing ROI (Returns On Investment). Benefits of a pen-test are short term as well as long term.
Here is a list of typical questions which are in the minds of those who wish to leverage our services. If you see more information, feel free to contact us.
Please see a list of key vulnerabilities which must be tested while performing a website or webportal penetration testing