What is Application Security Testing?

The purpose of this assessment was to evaluate the cyber security of your Web Application using simulated attacks to identify and exploit vulnerabilities in your Web Application. Malicious attacks are simulated using a variety of manual techniques supported by automated tools. Our penetration testing methodology goes beyond the detection process of simple scanning software to identify and prioritize the most vulnerable areas of your Web Application and recommend actionable solutions.

Web Application Penetration Testing Methodology

KRATIKAL’s discursive method for web application penetration testing overlay the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2017, including but not limited to: Injection, Broken Authentication, Sensitive Data Exposure, XXE, Broken Access Control, Security Misconfigurations, XSS, Insecure Deserialization, using components with Known Vulnerabilities, and so more. Each and every web application penetration test is conducted consistently using globally accepted and industry standard frameworks. In order to ensure a sound and comprehensive application penetration test, Kratikal leverages industry standard frameworks as a foundation for carrying out penetration tests.

Kratikal is now empanelled by CERT-In

Kratikal provides a complete suite of Customizable Security Auditing Services.

Industry’s Best Security Standards

Our team of experts uses practices that involve the industry’s best security standards including:

OWASP Secure Coding Guidelines

Input Validation
Output Encoding
Session Management
Access Control
Cryptographic Practices
Error Handling and Logging
Communication Security
System Configuration
Database Security
File Management
Memory Management
General Coding Practices
Authentication and Password Management

SANS25 Secure Coding Guidelines

Out-of-bounds Read, Integer Overflow or Wraparound
Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exposure of Sensitive Information to an Unauthorized Actor
Use After Free, Improper Authentication
Cross-Site Request Forgery (CSRF), Missing Authorization
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

High Level Test Cases

Test Cases for Black-Box Assessment:

Information Gathering
Configuration and Deploy Management Testing
Data Validation Testing
Cryptography

Test Cases for Grey-Box Assessment:

Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Business Logic Testing

Security Testing Methodology

1

Reconnaissance

The first phase in a web application penetration test is focused on collecting as much information as possible about a target application. Reconnaissance, aka Information Gathering, is one of the most critical steps of an application pen test. This is done through the use of public tools (search engines), scanners, sending simple HTTP requests, or specially crafted requests. As a result, it is possible to force the application to leak information, e.g., disclosing error messages or revealing the versions and technologies used.
Example testing include: Conduct Search Engine Discovery and Reconnaissance for Information Leakage, Search Engine Recon, App Enumeration and App Fingerprinting, Identify app entry point

2

Configuration Management

Comprehending the deployed configuration of the server/infrastructure hosting the web application is nearly as critical as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server (insecure HTTP methods, old/backup files).
Example testing includes: TLS Security, App platform configuration, File Extension Handling and Cross Site Tracing, Test HTTP strict transport security, Test HTTP methods, Test File permission

3

Authentication Testing

Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.
Example testing includes: Weak lockout mechanism, Bypassing authentication schema, Browser cache weakness, Weaker authentication in alternative channel.

4

Session Management

Session Management is defined as the set of all controls governing the stateful interaction between a user and the web application he/she is interacting with. In general, this covers anything from how user authentication is carried out, to what happens when they log out.
Example testing includes: Session Fixation, Cross Site Request Forgery, Cookie Management and Session Timeout, Testing for logout functionality.

5

Authorization Testing

Authorization Testing involves understanding how the authorization process works and using that information to circumvent the authorization mechanism. Authorization is a process that comes after a successful authentication, so the pen tester will verify this point after he/she holds valid credentials, associated with a well-defined set of roles and privileges. As a result, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges
Example testing includes: Directory Traversal, Privilege Escalation and Bypassing Authorization Controls, Insecure direct object reference.

6

Data Input Validation

The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows. Example testing include: Cross Site Scripting, SQL Injection, OS Commanding and Server- Side Injection, code injection, Local file inclusion and Remote fie inclusion, Buffer overflow

7

Testing for Error handling

Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It's possible to cause these errors to be displayed by using a particular request, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
Example testing include: Analysis for Error codes, Analysis for Stack Traces.

8

Testing for Business logic

There are many examples that can be made, but the one constant lesson is "think outside of conventional wisdom". This type of vulnerability cannot be detected by a vulnerability scanner and relies upon the skills and creativity of the penetration tester. In addition, this type of vulnerability is usually one of the hardest to detect, and usually application specific but, at the same time, usually one of the most detrimental to the application, if exploited.
Example testing include: Integrity checks, Process timing, Upload of unexpected filetype, Ability to forge request.

9

Client-side testing

Client-Side testing is concerned with the execution of code on the client, typically natively within a web browser or browser plugin. The execution of code on the client- side is distinct from executing on the server and returning the subsequent content.
Example testing include: JavaScript execution, Client-side URL redirection, Cross origin resource sharing and Manipulation.

10

Denial-of-Service (Optional)

A denial of service (DoS) attack is an attempt to make a resource unavailable to its legitimate users. Traditionally, denial of service (DoS) attacks have been network based: a malicious user floods a target machine with enough traffic to make it incapable of servicing its intended users. There are, however, types of vulnerabilities at the application level that can allow a malicious user to make certain functionality unavailable. These problems are caused by bugs in the application and often are triggered by malicious or unexpected user input. This phase of testing will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine. Not all clients have an appetite for DoS testing, therefore it may not always be a component of each and every penetration test.

11

Reporting

The reporting step is intended to deliver, rank and prioritize findings and generate a clear and actionable report, complete with evidence, to the project stakeholders. The presentation of findings can occur in-person–format is most conducive for communicating results. At Kratikal, we consider this phase to be the most important and we take great care to ensure we’ve communicated the value of our service and findings thoroughly

Tools Used

We use industry benchmark security testing tools across each of the IT infrastructure as per the business and technical requirements.
Below are few from many of the tools we use:

Burpsuite

Nessus

Nmap

Acunetix

Net Sparker

DIRB

What Our Clients Say About Us?

"From high level concepts to hands on training,Kratikal's courses provide enough details and depth to allow us to show the skillsets learned immediately after the learning, allowing our employees to see their return on investment."

Unisys Global

"In their pentesting results, we came across few gaps which our teams couldn't have ever identified or spotted. Kratikal made us realize that getting an external perspective into how we are performing can have great benefits."

Ashutosh, Director (Knowlarity)

"The competent experts from Kratikal identified bugs present in our app and helped us in patching all the vulnerabilities found. We are glad that we reached out to Kratikal and opted for their VAPT services."

Akash Srivastava, CTO (Revv)

Frequently Asked Questions

Browse through the FAQs given below to find answers to the commonly raised questions related to the VAPT services

What is VAPT?

Vulnerability Assessment and Penetration Testing (VAPT) is a security testing methodology that is composed of two, more specific methods within the same area of focus. The test is undertaken to perform security vulnerability assessment and identify the exploitable security vulnerabilities in your organization’s IT infrastructure.

Do I need VAPT even if my data is stored in the cloud?

You may have moved your assets to the cloud, however, that doesn’t mean that your data is 100% secure. Cloud security testing services are crucial to the security assurance of the cloud environment, systems and services.

What is the duration of performing VAPT?

The timeline of vulnerability assessment and penetration testing depends on the type of testing and the size of your network and applications.

How much does the VAPT service cost?

There is no fixed price for a vulnerability assessment and penetration test. The cost depends on the time and effort it takes to carry out VAPT on your network and systems.

Do you provide cyber security consulting?

Yes, Kratikal is counted amongst the top VAPT companies in India. Our cyber security experts provide cyber security consulting services to help you protect your company’s systems, grow your business, and deploy proper security solutions to ensure safe operation.