Cyber Security

Penetration Testing

Remember, penetration testing is not functional testing. In Penetration Testing (pentesting), your goal is to find security holes in the system.Below are generic tests DSGi will run, which are not necessarily applicable for all applications.

Are you concerned about the security of your organization’s computer systems and networks? Do you want to ensure that your sensitive data is protected from cyber threats and vulnerabilities? If so, it’s time to consider penetration testing.

Penetration testing is a process of simulating a cyber attack on your organization’s systems and networks to identify vulnerabilities and assess the effectiveness of your security measures. By performing a penetration test, you’ll be able to identify and fix vulnerabilities before they can be exploited by cyber criminals, ensuring that your systems and networks are secure and your sensitive data is protected.

But that’s not all – penetration testing also offers a number of benefits for your organization. By performing a penetration test, you’ll be able to demonstrate to your customers, partners, and regulators that you take security seriously and are committed to protecting your sensitive data. You’ll also be able to improve the security of your systems and networks, reducing the risk of cyber attacks and data breaches.

So why wait? Protect your organization’s systems and networks and drive your security to success with penetration testing. It’s the smart choice for any organization looking to ensure that their sensitive data is protected from cyber threats and vulnerabilities.

 

  • Web Applications – Check if a web application is able to identify spam attacks on contact forms used in the website.
  • Proxy Servers – Check if network traffic is monitored by proxy appliances. Proxy servers make it difficult for hackers to get internal details of the network, thus protecting the system from external attacks.
  • Spam Email Filters – Verify if incoming and outgoing email traffic is filtered and unsolicited emails are blocked. Many email clients come with built-in spam filters, which need to be configured per your needs. These configuration rules can be applied on email headers, subjects or bodies.
  • Firewalls – Make sure an entire network or computers are protected with a firewall. A firewall can be a software or hardware to block unauthorized access to systems. Firewalls can prevent sending data outside the network without your permission.
  • Exploits – Try to exploit all servers, desktop systems, printers and network devices.
  • Verification – Verify that all usernames and passwords are encrypted and transferred over secured connections like HTTPs.
  • Cookies – Verify information stored in website cookies. It should not be in readable format.
  • Vulnerabilities – Review previously found vulnerabilities to check if the fix is working.
  • Open Ports – Ensure there are no ports on a network.
  • Telephones – Check all telephone devices.
  • WiFi – Test WiFi network security.
  • HTTP Methods – Review HTTP methods. PUT and Delete methods should not be enabled on web server.
  • Passwords – Password should be at least 8 character long containing at least one number and one special character.
  • Usernames – Usernames should not be like “admin” or “administrator”.
  • Application Login Pages – Application logins pages should be locked upon few unsuccessful login attempts.
  • Error Messages – Error messages should be generic and not mention specific error details like “Invalid username” or “Invalid password”.
  • Special Characters – Verify if special characters, HTML tags and scripts are handled properly as an input value.
  • Internal System Details – Internal system details should not be revealed in any of the error or alert messages.
  • Custom Error Messages – Custom error messages should be displayed to end-users in case of web page crash.
  • Registry Entries – Review the use of registry entries. Sensitive information should not be kept in registry.
  • Scanning Files – All files must be scanned before uploading to server.
  • Sensitive Data – Sensitive data should not be passed in URL’s while communicating with different internal modules of the web application.
  • No Hard-Coded Usernames or Passwords – There should not be any hard-coded username or password in the system.
  • Input Fields – Check all input fields with long input strings – with and without spaces.
  • Password Functionality – Ensure reset password functionality is secure.
  • SQL Injection – Verify application for SQL Injection.
  • XSS – Verify application for Cross Site Scripting.
  • Input Validations – Important input validations should be done at server side instead of JavaScript checks at client side.
  • System Resources – Critical resources in the system should be available to authorized persons and services only.
  • Access Permissions – All access logs should be maintained with proper access permissions.
  • Ending Sessions – Check that user sessions end upon log off.
  • Directory Browsing – Verify that directory browsing is disabled on the server.
  • Up-to-Date Versions – Verify that all applications and database versions are up to date.
  • URL Manipulation – Review URL manipulation to make sure a web application is not showing any unwanted information.
  • Buffer Overflow – Check memory leak and buffer overflow.
  • Trojan Attacks – Verify if incoming network traffic is scanned to find Trojan attacks.
  • Brute Force Attacks – Check if systems are safe from Brute Force Attacks – use a trial and error method to find sensitive information like passwords.
  • DoS – Ensure the system or network is secured from DoS (denial-of-service) attacks.Attackers can target networks or a single computer with continuous requests. Resources on target systems get overloaded, resulting in denial of service for legit requests.
VEKTRIX INTERNATIONAL