CCSC offers application and network level penetration testing performed through the industry tools and verified by certified security experts. This process reduces the number of false positives in the findings. We provide continuous and periodic (monthly, quarterly, annual) scans based on customer’s regulatory requirements.
External Penetration testing (Network Layer)
CCSC conducts network scan for customers at a predefined interval based on customer’s prior approval. Once appropriate IP addresses are captured, the system will be set up to perform scans upon verification that the same internet IP addresses are used.
CCSC will further attempt to exploit any vulnerability found by the network scan to eliminate any false positives. Thiswould be performedafter any known vulnerabilities are mitigated.
External Penetration testing (Application Layer)
CCSC assesses the application for known application vulnerabilities. Assessment techniques include:
- Parameter Tampering – Query strings, POST parameters, and hidden fields are modified to gain unauthorized access to data or functionality.
- Cookie Poisoning – Data sent in cookies is modified to test application response to receiving unexpected cookie values
- Session hijacking – CCSC attempts to take over a session established by another user to assume the privileges of that user.
- User privilege escalation – CCSC attempts to gain unauthorized access to administrator or other users’ privileges.
- Credential manipulation – CCSC modifies identification and authorization credentials in an attempt to gain unauthorized access to other users’ privileges.
- Forceful Browsing – Misconfigured web servers will send any file to a userif the user knows the file name and the fileis not protected. Therefore, a hacker may exploit this security hole, and “jump” directly to pages.
- Backdoors and Debug Options – Many applications contain code left by developers for debugging purposes. Debugging code typically runs with a higher level of access, making it a target for potential exploitation. Application developers may leave backdoors in their code. These backdoors, if discovered, could potentially allow an intruder to gain an additionallevel of access.
- Configuration Subversion – Misconfiguring web servers and application servers is a common The most common misconfiguration is one that permits directory browsing. Hackers can utilize this feature tobrowse the application’s directories (such as CGI-bin/) by justtyping in the directory name.
- Input validation bypass – Client-side validation routines and bounds-checking are removed to ensure controls are implementedon the server.
- SQL injection – Specially crafted SQL commands are submitted in input fields to validate input type controls.
- Cross-site scripting – Active content is submitted to the application to cause a user’s web browser to execute unauthorized code. This test is meant to validate user input type controls.