Web Vulnerability Analysis
IT security is a complex topic that involves procedures that require explanation. In order to explain our services to you in a comprehensible way, we have put them into an everyday context. The protagonists are our basement keepers Maximilian and Amir.
"Amir is excited, a promising applicant for an open position at DriveByte is about to arrive. Since this is an important key position in the company, the new employee must of course be chosen carefully and with consideration."
Kickoff
First date
Amir prepares the room with drinks, pens and paper. Preparations for the penetration test are also made in your company. In the course of this, the applications and user accounts to be checked are defined and entry points are coordinated.
Testing phase
Background check
The first minutes of the interview are over. Like Amir, our experts now test everything discussed in the kick-off for vulnerabilities. Depending on the technical environment, new exploits are written or existing ones are used.
Reporting & Documentation
Pros & cons
Maximilian wants to know how the conversation went. Over a cup of coffee, Amir begins to summarize his impressions in an e-mail. You don't receive an e-mail from us, but a detailed report, actionable recommendations and an executive summary.
Presentation & Support
Confrontation
The basement radio at DriveByte works well, as always. Questions about the potential candidate crowd in from every office. Our experts also answer all your questions, present the results in person and assist in fixing any weaknesses.
Service configuration? A quote? Contact us!
Technical Approach
The Web Vulnerability Analysis (WVA) focuses on websites and web applications no matter if self- or externally hosted. Any type of website and web application might be tested, including extranet-, intranet-, and internet-facing entities. The Offensive Expert will utilize a vast amount of publicly available, commercial, and self-developed frameworks and tools to thoroughly analyze the vulnerability and exploitation potential of the tested website or web application. The WVA will incorporate the well-known and regularly updated OWASP-Top-10 (Open Web Application Security Project) to determine the website’s or web application’s vulnerability and exploitability towards the top 10 trending web attacks. Furthermore, the WVA will also apply a stage of Lateral Movement and Privilege Escalation to establish an actionable relation between web-vulnerability and possible consequence for the underlying infrastructure, if so requested by the customer.
Blackbox-WVA
During a blackbox-test, the Offensive Expert is only given an entry-point, i.e. IP addressor hostname of a website or web application, and no further information of the underlying infrastructure, security precautions, connected databases or source code. This WVA module is specifically built to simulate a real attack against the website or web application, where as the Offensive Expert is only using publicly available information gathered during the Reconnaissance phase.
Whitebox-WVA
A whitebox test grants the Offensive Expert an insight into the architecture of the web-site or web application, usually also into the source code and the underlying infrastructure of the entry-point. This type of test is recommended before an application is sent into productive operation to ensure that security vulnerabilities are fixed during the development phase. Furthermore, Static-and Dynamic Code Analysisis initiated by the Offensive Expert to identify risky configurations and outdated libraries used.
Greybox-WVA
Identical to the Whitebox-WVA approach, with customer provided credentials only, and no insight to the system’s internals.