Overview

"Web App Security Assessment" that we at Cyber Defense offer exposes hidden vulnerability of web applications by initiating a simulated attack to the system, while our experienced analytic engineer observes from attackers' viewpoint. This penetration testing method is initiated manually by our analytic engineer. This testing method is effective for discovering vulnerabilities that conventional tools cannot detect, and is most effective while attempting to grasp the extent of virtual damages caused by an attack incident. Needless to say, vulnerabilities that ordinary tools can detect will also be revealed manually, and reported.

Features

• Manual analysis (via penetration testing) is conducted by our analytic engineer.
• From an attacker's viewpoint, a set of vulnerabilities is exposed.
• By combining elements of vulnerabilities detected above, a set of threat scenarios are prepared, so that actual risks can easily be envisioned.
• Foreseeable effects and recommended measures outside of areas detected with vulnerabilities, are also covered in the report.
• Analysis environment can be initiated remotely or on-site, in a flexible manner.

Collecting information. Target (vulnerability) is narrowed down, and known vulnerabilities are listed.
Pattern matching test is initiated, using our vulnerability database.

Improper configurations on the platform, as well as vulnerabilities introduced by simple lack of security measures, will be listed out.

• From the platform's version, known version-specific vulnerabilities are confirmed
• Areas of insufficient detoxification of simple input/output values are specified
  • SQL/Command injection
  • Directory Traversal
  • Cross site scripting
  • HTTP header injection
• Unnecessary file directories on the platform are searched out
• Cookie attributes are confirmed
• Location where browser-related personal information is stored (cached) is specified
and other means.

Hidden threats of the target system are assumed, as vulnerabilities are investigated further.

Vulnerability assessment using only conventional tools will stop at above step. Cyber Defense's assessment service digs much further down into vulnerabilities.

• Actually using the application allows us to completely grasp its characteristics.
• Linkage between the application and database, as well as with mail and distribution system, is figured out.
• Following proper steps enables us to figure out where all confidential data are stored.
• In order to boil down foreseeable threat scenario, strengths and weaknesses of system-specific security characteristics are defined.

Investigation is conducted by actually attacking the defined vulnerabilities.

• All parameters (including hidden ones) are exposed forcefully, as parameter forgery test is conducted.
• GET/POST method is modified.

Security strength of client - server HTTP status is investigated.

• Affected range of header modification is specified.
• Possibility of session data contamination and session hijacking is investigated.

Main points to be analyzed:
Directory scanning and extraction of known vulnerability information / invalid http get・post status manipulation / vulnerability in authentication and session management / invalid parameter entry / XSS, CSRF, and CRLF / various injection attempts (such as SQL injection) / DoS, buffer overflow, etc.

Simulated attack

After assessing the analysis results, simulated hacking test is conducted.

Point

• While per vulnerability risk level may not be unknown, if this type of chain hacking attempt is succeeded, it can lead to large-scale damages such as leakage of personal information.
• In addition, it is difficult for IPS to detect these attacks. It can therefore be initiated rather silently.
• Even a minuscule vulnerability can turn some web application specs into a minefield of catastrophes and losses.

Threat identification / analysis / penetration test result to be reported

A step-by-step vulnerability reproduction is explained. Countermeasure for each vulnerability is also explained in detail. In the stage of comprehensive evaluation, system-wide security strengths and risk of actual hackers stealing information are commented, as future measures are discussed.

Reported contents

• Analysis requirement and target system are explained
• Executive summary
• reproduction method and modification method are described in detail (display data is optional)

In accordance with the client:s needs and budgets, dimension of analysis and requirement will be proposed.

Dynamic/static portal site contents

• Diagnosis point: 5-10
• Diagnosis parameter count: 20-40

Dynamic/static portal site contents

• Diagnosis point: 100-
• Diagnosis parameter count: 500-
• Diagnosis day count: 1 week -

Dynamic/static e-commerce/accounting site contents

• Diagnosis point: 300-
• Diagnosis parameter count: 2000-
• Diagnosis day count: 2 weeks -