Our Approach

When performing vulnerability scans, there is always a risk of affecting a system causing it to degrade in performance or causing it to stop functioning all together. We mitigate this risk by conducting interviews with the client to understand the design of the network and its systems. On production systems, critical servers are identified and decisions are made whether or not to include them as targets for the scan.

This decision depends on the risk tolerance of the customer and potential impact to the customer in the event the scan causes the system to degrade in performance or stop functioning.

Work Scope

The vulnerability scan has three phases:

  1. network discovery
  2. vulnerability assessment, and
  3. manual checks

Our Security Experts perform following steps:

  • Perform broad scans to identify potential areas of exposure and services
  • Perform targeted scans and manual checks and investigation to validate vulnerabilities
  • Test components to gain access
  • Identify and validate the vulnerabilities
  • Rank vulnerabilities based on threat levels, potential loss and likelihood of exploitation
  • Identify issues of immediate consequence and recommend solutions
  • Transfer knowledge

Web Application VAPT Scope

# OWASP Top 10 Web Application Specific
1 Injection Cookie Injection Attack
2 Broken Authentication and Session Management Man in the Middle Attack
3 Cross site Scripting (XSS) Session Replay Attack
4 Insecure Direct Object References Cookie Poisoning Attack
5 Security Misconfigurations
6 Sensitive Data Exposure
7 Missing function level access control
8 Cross site Request Forgery (CSRF)
9 Using components with known vulnerabilities
10 Invalidated Redirects and Forwards
# Technical Attack Overview
1Web Internet Gateway and Firewall Analysis
2Web Server Vulnerability Analysis
3Patch level testing and resulting vulnerabilities
4Rootkit attack possibility and dormantness
5SQL Injection and session stealing attack
6App code related (XSS, Cookie and many more)
7Cryptography related (layer 6)
8Backend Database reachability and Pentesting
9Misc Web Services called by Apps, XML Payloads
10Cloud login scenario testing
11All above as BlackBox
12All above as GreyBox
13Scanning for 1000+ known code level vulnerabilities

Mobile Application VAPT Scope

# Test Data at Rest Test Data at Transit
1 Can Data/Manifest be hacked? Checking if data to and from your app is encrypted?
2 Can Other App access your app data? Checking if encryption could be bypassed?
3 Can your app cross boundaries leading to potential data theft? Checking if your app making web services/database calls securely?
4 Packet capturing to determine Session/Cookie stealing All above for Layer 3 (Network)
5 Manual check for forms hijacking and other typical attacks All above for Layer 6 (Session)
6 Checking if apps reveals sensitive info via logs All above for Layer 7 (Application)
7 Missing function level access control
# Additional Tests
1Vulnerability Scan of App for 100s of typical Vulnerabilities exposing platform specific security problem
2Vulnerability Scan of App for typical configuration mistakes
3Test possibility of malware injection, if those could invade into code/manifest/libraries of mobile app

Submit your Web/Mobile application Now!

Make your client's data secure with INVESICS.