Web Application Penetration Testing Training 8 (1)

1
SECURIUM FOX offers cyber security consultancy
services with its expert and experienced team. We
are providing consulting services to prevent
cyber attacks, data leak and to ensure that our
customers are ready and safe against cyber
attacks, with more than 15 years of
experience.In addition to pentests and
consulting services, SECURIUM FOX prepares its
customers and field enthusiasts for real life
scenarios by providing trainings in the lab
environment which was prepared by themselves,
with its young, dynamic and constantly following
team.Everytime that hackers are in our lives,
there are always risks that we can face with a
cyber attack. Over the years cyber security has
become a critical precaution for all
organizations and companies after the effects and
number of attacks. SECURIUM FOX tests the weak
points of customers for possible attacks and
provides consulting services to eliminate these
weak points.SECURIUM FOX team also offers
support for the development of our country in
this field by supporting free events being
organized as a volunteer by the Octosec team.
ABOUT US
2

• WEB APPLICATION SECURITY AND PENETRATION TESTING
  TRAINING

3
WEB APP PENETRATION TESTING

• Penetration testing is a simulated attack on
  your system to reveal any security weak spots or
  loopholes in your web applications. Penetration
  testing also known as pen testing or security
  testing is the only way to find out what an
  actual hacker could access from your systems. It
  lets you find and fix any vulnerabilities so you
  can achieve water-tight, hack-proof protection
  for your business.
• Hack-proof your web applications for peace of
  mind
• Security is not something you can sweep under the
  carpet. In the internet age, protecting your
  systems from attack is mission critical. An
  expert penetration test tells you what you need
  to know to minimise business risk
• Determine the possibility of specific attack
  vectors.
• Identify a combination of high and low risk
  vulnerabilities exploited in a specific sequence.
• Uncover vulnerabilities that cannot be detected
  easily by automated vulnerability scanning
  software.
• Measure the potential impact of real attacks on
  your business operations.
• Assess the ability of automated network software
  to detect and respond to attacks on your systems.
• Ensure that all data security compliance
  protocols are being met, particularly in the
  Payment Card Industry.
• Detailed reports that support your initiatives to
  improve organisational information and invest in
  more technology/security staff.

4

• Why you need skilled ethical hackers
• Youll need to hire one or a team of penetration
  testers for successful web application pen
  testing. The penetration testers also called
  ethical hackers are not given access to source
  code and will try to attack your system, in a
  simulated and safe environment. If they can get
  in, so can a real hacker
• Why your Web Applications should be Penetration
  Tested
• Not only does Penetration Testing find the
  loopholes in your information security systems.
  It also tests the efficacy of your security
  policies and procedures

5

• Test your people
• Penetration tests give information security staff
  gain experience dealing with a potential breach.
  When conducted without prior notice, it will
  determine how well your policies are being
  implemented. Theyll tell you if your employees
  need more awareness or training in procedures to
  safeguard organisational information.
• Test your policies
• Penetration tests reveal any flaws in your
  security policy. Some organisational policies,
  for instance, focus on preventing and detecting
  attacks but have no proper stance on dislodging
  an ongoing attack. In this situation, a
  penetration test will show if your security
  personnel are not equipped to remove a hacker
  from your system in time to prevent significant
  damage.

6

• Prioritise your security spend
• By revealing the weakest links in your web
  applications, penetration testing reports help
  you prioritise your security spend. The reports
  allow web application developers to identify
  mistakes and train towards programming
  perfection. When developers see how the hacker
  was able to break into their application, they
  can code stronger, more secure web applications.
• How to choose a good Penetration Tester
• In 2010, the Penetration Testing Execution
  Standard (PTES) was developed to provide a widely
  accepted penetration testing methodology. Below
  we explain in simple terms the steps of the PTES
  methodology, making it easier for you to choose
  expert testers and fully protect your web
  applications.

7

• Pre-engagement Interactions
• A penetration tester will have access to your
  organisations sensitive information, so you need
  to choose a reliable individual or team. Its
  important to be clear with your requirements when
  you brief the penetration tester. Here are key
  points for consideration
• Scope
• Do you want it performed on a particular business
  area or your entire business? Specify what is
  included and what is not.
• Schedule
• At what time will the test be performed, and for
  what duration will it be performed while the
  business is still running?
• Whitebox or Blackbox test
• For a blackbox test the tester is not given any
  information, just like an outsider. In a whitebox
  test, a tester is given basic access or
  information to start with.
• Communication channels
• Contacts of all involved individuals and parties
  must be provided before the start of the pentest
  process to avoid unintended consequences.

8

• Intelligence Gathering
• The penetration tester plans its attack. An
  experienced tester will have clear idea of what
  is within scope and what is not. However, if your
  provider is not looking at each and every area of
  scope to ferret out information in every possible
  way, you will know they are not doing their job
  correctly.
• Threat Modelling
• After gathering relevant information, a pen
  testing methodology builds a profile of your
  company along with its assets. The pen tester
  will look for assets with the highest value,
  which might include organisational policies and
  procedures, customer data an
• Vulnerability Analysis
• Sound methodology for web application penetration
  testing will always clearly define the project
  scope to make sure desired outcomes are met. With
  clear target assets in line, the pen tester will
  determine how to enter and exploit them. All
  vulnerabilities

9

• Exploitation and Post Exploitation
• Once the entry points and related vulnerabilities
  are identified, the pen tester then simulates a
  real attack, just as a real hacker would do.
  After gaining access to the system, the pen
  tester will try to remain undetected and will try
  to gain more access to to extract maximum
  sensitive information.
• In the post-exploitation phase, the penetration
  tester assesses the value of compromised system
  and identifies its potential to be exploited for
  later use.

10

• Reporting
• A report is the true essence of a penetration
  test, because it provides a detailed, prioritised
  account of exploitations and vulnerabilities that
  need to be rectified.
• Penetration testing reports must include
  high-level recommendations for problems with the
  web applications, how the exploitations were
  carried out and measure the risk level of the
  identified vulnerabilities.
• If your organisation is not yet regularly pen
  testing web applications and overall systems, it
  is more than likely to be at significant risk.
  Web application security is not a nice-to-have
  it is a must-have, right now. Your initial
  penetration test results will probably be an
  eye-opener, highlighting vulnerabilities you had
  no idea were there.

11

• You can always contact with SECURIUM FOX. You can
  contact us through our email addresses or by
  using the contact form on the side.

• INFO
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,
• Gurunanak Nagar,Patamata,Vijyawada,
• Andhra Pradesh -520010
• 9652038194
• 08666678997
• info_at_securiumfoxtechnologies.com

12
info_at_securiumfoxtechnologies.com Andhra Pradesh
Office 91 8666678997,91 91652038194 3rd
Floor,Lohia Towers, Nirmala Convent Rd,Gurunanak
Nagar,Patamata,Vijayawada, info_at_securiumfoxtechnol
ogies.com UK Office 44 2030263164 Velevate,
Kemp House, 152 - 160,City Road,EC1V
2NX London info_at_securiumfoxtechnologies.com Tamil
Nadu Office 91 9566884661 Kailash Nagar, Nagar,
Tiruchirappalli, Tamil Nadu 620019 info_at_securiumfo
xtechnologies.com
Noida Office 91 (120) 4291672, 91
9319918771 A-25, Block A, Second Floor,Sector -
3, Noida, India info_at_securiumfoxtechnologies.com
USA Office 1 (315)933-3016 33 West,17th
Street, New York, NY-10011, USA info_at_securiumfoxte
chnologies.com Dubai Office 971 545391952 Al
Ansari Exchange, Ansar Gallery - Karama Branch,
Hamsah-A Building - 3 A St - Dubai - United Arab
Emirates