A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilities. Web application security testing performed by Valency Networks is an entirely manual approach. This service basically answers questions such as "What is Web VAPT", "How web pentesting is carried out?". While we do use automated tools, in order to mimic the real life hackers, we perform testing manually using pre-validated and highly technical test cases, that follow OWASP Top 10 standard.
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. As a best pentesting company we witness multiple scenarios while performing vulnerability assessment for our customers. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.
It was discovered that SQL Injection techniques can be used to fool the application into authenticating without the attacker needing valid credentials. SQL Injection vulnerabilities on login pages expose an application to unauthorized access and quite probably at the administrator level, thereby severely compromising the security of the application.
Applications require authentication for gaining access to private information. Not every authentication method is able to provide adequate security. A flaw in the application that allows users to access application resources without authentication is referred as’ Authentication Bypass’. Authentication bypass vulnerability is generally caused when it is assumed that users will behave in a certain way and failing to foresee the consequences of users doing the unexpected.
Likelihood: Likelihood of authentication bypass exploit using forceful browsing technique or URL parameter tampering is ‘High’ as any normal internet user could launch this attack. Authentication Bypass using ‘POST’ parameter or session cookies tampering or SQL injection may require tools like web proxy and little knowledge on hacking techniques. Hence, Likelihood of vulnerability in this case may be rated as ‘Medium/High’.
Impact: If an attacker could obtain sensitive personal data of a user, then impact of the vulnerability could be rated as ‘High’. If an attacker could gain access only to static pages, then impact of the vulnerability could be rated as ‘Medium’.
Code Injection, or Remote Code Execution (RCE) refers to an attack where in an attacker is able to execute malicious code as a result of an injection attack. Code Injection differs from Command Injection since an attacker is confined to the limitations of the language executing the injected code. While its possible for an attacker to escalate an attack from Code Injection to execute arbitrary shell commands, its not always the case.
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Typically a non-admin user would try to become an admin user, to gain more access than required. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used.
Privilege escalation has 2 types:
Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)
Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)
It is typically and wrongly assumed that an application is always hacked at application layer. Considering the mentality of a hacker, they always want to gain maximum control. This can be achieved by infiltrating or compromising the hosting server itself. This can lead the attacker to gain direct access to the code and databases.
Server Misconfiguration attacks exploit configuration weaknesses found in web servers and application servers. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts, and web pages. They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users. Website security testing services features basically provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.
Servers may include well-known default accounts and passwords. Failure to fully lock down or harden the server may leave improperly set file and directory permissions. Misconfigured SSL certificates and encryption settings, the use of default certificates, and improper authentication implementation with external systems may compromise the confidentiality of information. Verbose and informative error messages may result in data leakage, and the information revealed could be used to formulate the next level of attack. Incorrect configurations in the server software may permit directory indexing and path traversal attacks.
Cookies are an important feature of Web Applications and penetration testers must have a good understanding of Cookies from Security Point Of View . Once the tester has an understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance, the penetration tester must know how to test if they are secure.
if an attacker were able to acquire a session token by attacks such as cross site scripting or by sniffing an unencrypted session, then they could use this cookie to hijack a valid session.
Additionally, cookies are set to maintain state across multiple requests. Since HTTP is stateless, the server cannot determine if a request it receives is part of a current session or the start of a new session without some type of identifier. This identifier is very commonly a cookie although other methods are also possible.
Hence due to the sensitive nature of information in cookies, they are typically encoded or encrypted in an attempt to protect the information they contain.
Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.