top of page

PENETRATION TESTS

WEB

We test web applications using Black Box and Gray Box methodologies.

Test findings are used to create a report, delivered in digital form, including the description and proof of identified vulnerabilities, guidelines aimed at their elimination, and an indication of the potential effects of their use.

The methodology used in the process encompasses the best practices described in „OWASP Testing Guide V4”.  tests are performed to detect programming, configuration, and logical errors, most of the time without access to application code or configuration files.

MOBILE
 

Tests of mobile applications are performed using Black Box and White Box methodology. The audit is intended to check the security of a mobile application, the communication between the application and the backend server, as well as the data stored locally by the application.

In black-box testing, the auditor's initial knowledge of the analyzed application is limited. Test accounts reflecting particular authorization levels are created for the time of the audit.

The tests are aimed at detecting programming, configuration, and logical errors related to the operation of the mobile application without access to its initial source code.

The method used in testing includes the verification of threats presented in "OWASP Top 10 Mobile Risks". Test findings are used to create a report, delivered in an electronic form, including the description and proof

of identified vulnerabilities and guidelines aimed at their elimination.

THICK CLIENT

Testing the thick client application is intended to check security and identify threats related to the software of that type.

The process consists of manual verification of particular vulnerability classes and, if possible, automatic testing, which is run parallelly. The application is subject to both static and dynamic analysis.

Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.

If the thick client application relies on the API service, it too is subject to testing. In this case, our signature expert approach is employed, drawing on best market practices and the OWASP Application Security Verification Standard (ASVS).

TESTING METHODS:

  • Dynamic tests, for instance, fuzzing, interference in network traffic, verification of cryptographic protections, and application debugging.

  • Checks to operating system components, e.g. reviewing logs, application data, processes, memories, and registry keys related to the application.

  • Static tests, e.g., reverse engineering, analyzing the delivered binaries.

If the thick client application relies on the API service, it is also subject to testing.

Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.

INFRASTRUCTURE

INTERNAL AND EXTERNAL

These consist of testing all the discovered sub-networks of a device in terms of possible vulnerabilities or misconfiguration errors that enable taking control over the component in question. Tests also cover the possibility of performing an effective DoS attack aimed at interrupting the proper functioning of local network hosts. In the event of using switches from a niche manufacturer, it may result in a network failure in the case of performing simple attacks, such as ARP spoofing.

The goal of these tests, above all, is to determine the visibility of hosts with their services which may be subject to an attack by persons with physical access to the network. The general idea behind the tests is to compromise as many network devices as possible.

Infrastructure testing aims to verify the security of services and systems available to the users via the Internet (external) and LAN network (internal).

External infrastructure tests are performed using an expert approach, emulating the best market practices, CIS Security Benchmarks, DISA STIGs, OSSTMM, and PTES.

The procedure consists of automatic testing, whose goal is to identify the most vulnerabilities, and manual verification to confirm the vulnerabilities and their exploitation.

The tests encompass the following activities:

  • Identification of shared services

  • Identification of vulnerabilities in detected services

  • Verification of identified vulnerabilities

  • Attempts at exploiting identified vulnerabilities (if included in the test scope)

Complete the form and we will contact you within 24 hours.

bottom of page