SlideShare une entreprise Scribd logo

Web application penetration testing

Imaginea
Imaginea
Technologie
1  sur  12
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Information Security Group (ISG) Web Application Penetration Testing reachus@imaginea.com
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Web Application Penetration Testing Overview Web Application Penetration Assessment looks from the perspective of a malicious hacker and finds the holes before they can be exploited. We rely on a detailed and well-established manual testing methodology for accuracy and effectiveness. Open source and commercial tools will be used to automate many routine security testing tasks.
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Penetration Testing Methodology Step 1 • Information Gathering Step 2 • Analysis and Planning Step 3 • Vulnerability Identification Step 4 • Exploitation Step 5 • Risk Analysis and Remediation Suggestion Step 6 • Reporting
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Information Gathering Template Information Required Data Application Name (Eg: LeanTaas) What is the type of the application? (Static / Dynamic / Applets / Web Services) Provide application URL What are all the application user roles? (Eg: User, Administrator, Manager) Is the application used by multiple clients? (Yes/No) If Yes, provide credentials for at least two clients Provide at least two sets of credentials for each user role Specify scope of the test (Internal application functionality and URLs to be tested) Provide application User Manual/ Help documents
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Analysis and Planning Analysis Verification of gathered template information Client communication for clarifications Understanding the application functionality Identification of critical application components and corresponding vulnerabilities to be tested Planning Test modularization based on functionality or vulnerability focus areas Plan for automation testing phase Plan for exploitation phase Plan for risk analysis and reporting phases Time estimates for each of the phases
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Focus Areas Authentication: Input Validation: Authentication Bypass Cross Site Scripting Poor Password Strength Cross Site Request Forgery No Account Lockout SQL Injection No Logout functionality Buffer Overflow File Upload Authorization: Code Injection Privilege Escalation Forceful Browsing Cryptography: Weak SSL Session Management: Weak Encryption Key Session Fixation Unencrypted Sensitive Data (Eg: Improper Session Expiration Passwords, Cookies) Session time out too long
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Focus Areas Information Leakage: System Configuration: Error Messages Default Passwords HTML Comments Default Pages Source Code Disclosure Default Error Messages Enabled Cross Frame Spoofing Unpatched Software Server Platform Info Leak HTTP Methods Enabled Sensitive Data Revealed Note: This is not exhaustive list of vulnerabilities. More vulnerabilities will be added to the list based on the technology/requirement/latest threats.
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Vulnerability Testing Phases Exhaustive manual penetration testing on the application and vulnerability focus areas Automatic scanning of application using tools and analysis of the results for false positives Identification of list of application vulnerabilities from manual and automation testing results Tools HTTP Proxy tool (Eg: Burp Suite tools, HTTPWatch, Tamper IE, Paros, WebScarab etc) Web Application Scanner(Eg: Burp Suite Scanner, Appscan, Web Inspect etc) Web Service Testing tool (SoapUI etc) SSL version and SSL key strength enumeration tools (Cygwin OpenSSL, Foundstone SSLDigger etc) Frameworks for exploitation (Metasploit, Core Impact etc) Note: More tools will be added to the list based on the technology or need or latest advancements.
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Exploitation Applicable attacks will be performed on the identified application vulnerabilities without causing much damage to the application resources and infrastructure. This phase helps to assess RISK of a vulnerability more accurately. Resources for exploitation Exploit frameworks (Metasploit, Core Impact etc) Open source scripts and tools Custom scripts (using Python, Perl etc)
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Risk Analysis and Remediation Suggestion Risk Analysis Estimation of the Likelihood of attack Estimation of the Impact of a successful attack Evaluate overall RISK of the vulnerability Risk = Likelihood * Impact OWASP Risk Rating Methodology is used as a guidance. Ref: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Remediation Suggestion Remediation measures will be suggested for each vulnerability identified. Priority for remediation will be suggested based on the risk rating of the vulnerability
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Report Template Brief summary of the Network Brief description of the application includes name, version, platform details and functionality etc. Network Security Summary report Brief description of the overall security status and the list of major security vulnerabilities identified. Vulnerability details for each identified vulnerability: Vulnerability Classification and Name Description of the vulnerability Vulnerability details Remediation Suggestions Vulnerability Risk Rating (Likelihood, Impact, Overall Risk)
© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Security as a Service http://www.imaginea.com reachus@imaginea.com

Recommandé

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 

Recommandé

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Command injection
Command injectionCommand injection
Command injectionpenetration Tester
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 

Contenu connexe

Tendances

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 

Tendances (20)

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Application Security
Application SecurityApplication Security
Application Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Security testing
Security testingSecurity testing
Security testing
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Command injection
Command injectionCommand injection
Command injection
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Security testing
Security testingSecurity testing
Security testing
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 

En vedette

Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga 0xdec0de
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
QA/Test Engineering Perspectives
QA/Test Engineering PerspectivesQA/Test Engineering Perspectives
QA/Test Engineering PerspectivesRoopesh Kohad
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Reportbtpsec
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
E Marketing Powerpoint
E Marketing PowerpointE Marketing Powerpoint
E Marketing PowerpointPETITROBOT
 
Online Marketing Presentation
Online Marketing PresentationOnline Marketing Presentation
Online Marketing PresentationWindhill Design
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 

En vedette (20)

Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Vtb final
Vtb finalVtb final
Vtb final
 
QA/Test Engineering Perspectives
QA/Test Engineering PerspectivesQA/Test Engineering Perspectives
QA/Test Engineering Perspectives
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
E Marketing Powerpoint
E Marketing PowerpointE Marketing Powerpoint
E Marketing Powerpoint
 
Online Marketing Presentation
Online Marketing PresentationOnline Marketing Presentation
Online Marketing Presentation
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Online Marketing
Online MarketingOnline Marketing
Online Marketing
 

Similaire à Web application penetration testing

Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?ObserveIT
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 

Similaire à Web application penetration testing (20)

Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheet
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
Intro to Force.com Webinar presentation
Intro to Force.com Webinar presentationIntro to Force.com Webinar presentation
Intro to Force.com Webinar presentation
 
Introduction to Force.com Webinar
Introduction to Force.com WebinarIntroduction to Force.com Webinar
Introduction to Force.com Webinar
 
How websites are attacked
How websites are attackedHow websites are attacked
How websites are attacked
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 

Plus de Imaginea

Require JS
Require JSRequire JS
Require JSImaginea
 
Scala and lift
Scala and liftScala and lift
Scala and liftImaginea
 
Imaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Performance EngineeringImaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Performance EngineeringImaginea
 
Imaginea Service Sheet - Interaction Design
Imaginea Service Sheet - Interaction DesignImaginea Service Sheet - Interaction Design
Imaginea Service Sheet - Interaction DesignImaginea
 
Imaginea - SugarCRM iPhone App - User Guide
Imaginea - SugarCRM iPhone App - User GuideImaginea - SugarCRM iPhone App - User Guide
Imaginea - SugarCRM iPhone App - User GuideImaginea
 
Offline Enterprise and Web Apps: Dekoh Approach
Offline Enterprise and Web Apps: Dekoh ApproachOffline Enterprise and Web Apps: Dekoh Approach
Offline Enterprise and Web Apps: Dekoh ApproachImaginea
 
Imaginea Scales Application using Amazon EC2
Imaginea Scales Application using Amazon EC2Imaginea Scales Application using Amazon EC2
Imaginea Scales Application using Amazon EC2Imaginea
 
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaWhitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaImaginea
 
Imaginea - Ideas to Life - About Us
Imaginea - Ideas to Life - About UsImaginea - Ideas to Life - About Us
Imaginea - Ideas to Life - About UsImaginea
 
Imaginea_CloudComputing_Services
Imaginea_CloudComputing_ServicesImaginea_CloudComputing_Services
Imaginea_CloudComputing_ServicesImaginea
 
Imaginea_Product Engineering_Services
Imaginea_Product Engineering_ServicesImaginea_Product Engineering_Services
Imaginea_Product Engineering_ServicesImaginea
 
Scaling Databases On The Cloud
Scaling Databases On The CloudScaling Databases On The Cloud
Scaling Databases On The CloudImaginea
 
Imaginea Cloud Offerings
Imaginea Cloud OfferingsImaginea Cloud Offerings
Imaginea Cloud OfferingsImaginea
 
Soa Offerings
Soa OfferingsSoa Offerings
Soa OfferingsImaginea
 
Sharing on Dekoh - Our RIA Desktop Platform
Sharing on Dekoh - Our RIA Desktop PlatformSharing on Dekoh - Our RIA Desktop Platform
Sharing on Dekoh - Our RIA Desktop PlatformImaginea
 
Scaing databases on the cloud
Scaing databases on the cloudScaing databases on the cloud
Scaing databases on the cloudImaginea
 
Product QA - A test engineering perspective
Product QA - A test engineering perspectiveProduct QA - A test engineering perspective
Product QA - A test engineering perspectiveImaginea
 
Facebook Olympics
Facebook OlympicsFacebook Olympics
Facebook OlympicsImaginea
 
Process Guidelines V2
Process Guidelines V2Process Guidelines V2
Process Guidelines V2Imaginea
 
Migrating to Cloud - A Step by Step
Migrating to Cloud - A Step by Step Migrating to Cloud - A Step by Step
Migrating to Cloud - A Step by Step Imaginea
 

Plus de Imaginea (20)

Require JS
Require JSRequire JS
Require JS
 
Scala and lift
Scala and liftScala and lift
Scala and lift
 
Imaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Performance EngineeringImaginea Service Sheet - Performance Engineering
Imaginea Service Sheet - Performance Engineering
 
Imaginea Service Sheet - Interaction Design
Imaginea Service Sheet - Interaction DesignImaginea Service Sheet - Interaction Design
Imaginea Service Sheet - Interaction Design
 
Imaginea - SugarCRM iPhone App - User Guide
Imaginea - SugarCRM iPhone App - User GuideImaginea - SugarCRM iPhone App - User Guide
Imaginea - SugarCRM iPhone App - User Guide
 
Offline Enterprise and Web Apps: Dekoh Approach
Offline Enterprise and Web Apps: Dekoh ApproachOffline Enterprise and Web Apps: Dekoh Approach
Offline Enterprise and Web Apps: Dekoh Approach
 
Imaginea Scales Application using Amazon EC2
Imaginea Scales Application using Amazon EC2Imaginea Scales Application using Amazon EC2
Imaginea Scales Application using Amazon EC2
 
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaWhitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance Imaginea
 
Imaginea - Ideas to Life - About Us
Imaginea - Ideas to Life - About UsImaginea - Ideas to Life - About Us
Imaginea - Ideas to Life - About Us
 
Imaginea_CloudComputing_Services
Imaginea_CloudComputing_ServicesImaginea_CloudComputing_Services
Imaginea_CloudComputing_Services
 
Imaginea_Product Engineering_Services
Imaginea_Product Engineering_ServicesImaginea_Product Engineering_Services
Imaginea_Product Engineering_Services
 
Scaling Databases On The Cloud
Scaling Databases On The CloudScaling Databases On The Cloud
Scaling Databases On The Cloud
 
Imaginea Cloud Offerings
Imaginea Cloud OfferingsImaginea Cloud Offerings
Imaginea Cloud Offerings
 
Soa Offerings
Soa OfferingsSoa Offerings
Soa Offerings
 
Sharing on Dekoh - Our RIA Desktop Platform
Sharing on Dekoh - Our RIA Desktop PlatformSharing on Dekoh - Our RIA Desktop Platform
Sharing on Dekoh - Our RIA Desktop Platform
 
Scaing databases on the cloud
Scaing databases on the cloudScaing databases on the cloud
Scaing databases on the cloud
 
Product QA - A test engineering perspective
Product QA - A test engineering perspectiveProduct QA - A test engineering perspective
Product QA - A test engineering perspective
 
Facebook Olympics
Facebook OlympicsFacebook Olympics
Facebook Olympics
 
Process Guidelines V2
Process Guidelines V2Process Guidelines V2
Process Guidelines V2
 
Migrating to Cloud - A Step by Step
Migrating to Cloud - A Step by Step Migrating to Cloud - A Step by Step
Migrating to Cloud - A Step by Step
 

Dernier

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Dernier (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Web application penetration testing

  • 1. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Information Security Group (ISG) Web Application Penetration Testing reachus@imaginea.com
  • 2. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Web Application Penetration Testing Overview Web Application Penetration Assessment looks from the perspective of a malicious hacker and finds the holes before they can be exploited. We rely on a detailed and well-established manual testing methodology for accuracy and effectiveness. Open source and commercial tools will be used to automate many routine security testing tasks.
  • 3. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Penetration Testing Methodology Step 1 • Information Gathering Step 2 • Analysis and Planning Step 3 • Vulnerability Identification Step 4 • Exploitation Step 5 • Risk Analysis and Remediation Suggestion Step 6 • Reporting
  • 4. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Information Gathering Template Information Required Data Application Name (Eg: LeanTaas) What is the type of the application? (Static / Dynamic / Applets / Web Services) Provide application URL What are all the application user roles? (Eg: User, Administrator, Manager) Is the application used by multiple clients? (Yes/No) If Yes, provide credentials for at least two clients Provide at least two sets of credentials for each user role Specify scope of the test (Internal application functionality and URLs to be tested) Provide application User Manual/ Help documents
  • 5. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Analysis and Planning Analysis Verification of gathered template information Client communication for clarifications Understanding the application functionality Identification of critical application components and corresponding vulnerabilities to be tested Planning Test modularization based on functionality or vulnerability focus areas Plan for automation testing phase Plan for exploitation phase Plan for risk analysis and reporting phases Time estimates for each of the phases
  • 6. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Focus Areas Authentication: Input Validation: Authentication Bypass Cross Site Scripting Poor Password Strength Cross Site Request Forgery No Account Lockout SQL Injection No Logout functionality Buffer Overflow File Upload Authorization: Code Injection Privilege Escalation Forceful Browsing Cryptography: Weak SSL Session Management: Weak Encryption Key Session Fixation Unencrypted Sensitive Data (Eg: Improper Session Expiration Passwords, Cookies) Session time out too long
  • 7. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Focus Areas Information Leakage: System Configuration: Error Messages Default Passwords HTML Comments Default Pages Source Code Disclosure Default Error Messages Enabled Cross Frame Spoofing Unpatched Software Server Platform Info Leak HTTP Methods Enabled Sensitive Data Revealed Note: This is not exhaustive list of vulnerabilities. More vulnerabilities will be added to the list based on the technology/requirement/latest threats.
  • 8. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Vulnerability Identification Vulnerability Testing Phases Exhaustive manual penetration testing on the application and vulnerability focus areas Automatic scanning of application using tools and analysis of the results for false positives Identification of list of application vulnerabilities from manual and automation testing results Tools HTTP Proxy tool (Eg: Burp Suite tools, HTTPWatch, Tamper IE, Paros, WebScarab etc) Web Application Scanner(Eg: Burp Suite Scanner, Appscan, Web Inspect etc) Web Service Testing tool (SoapUI etc) SSL version and SSL key strength enumeration tools (Cygwin OpenSSL, Foundstone SSLDigger etc) Frameworks for exploitation (Metasploit, Core Impact etc) Note: More tools will be added to the list based on the technology or need or latest advancements.
  • 9. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Exploitation Applicable attacks will be performed on the identified application vulnerabilities without causing much damage to the application resources and infrastructure. This phase helps to assess RISK of a vulnerability more accurately. Resources for exploitation Exploit frameworks (Metasploit, Core Impact etc) Open source scripts and tools Custom scripts (using Python, Perl etc)
  • 10. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Risk Analysis and Remediation Suggestion Risk Analysis Estimation of the Likelihood of attack Estimation of the Impact of a successful attack Evaluate overall RISK of the vulnerability Risk = Likelihood * Impact OWASP Risk Rating Methodology is used as a guidance. Ref: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Remediation Suggestion Remediation measures will be suggested for each vulnerability identified. Priority for remediation will be suggested based on the risk rating of the vulnerability
  • 11. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Report Template Brief summary of the Network Brief description of the application includes name, version, platform details and functionality etc. Network Security Summary report Brief description of the overall security status and the list of major security vulnerabilities identified. Vulnerability details for each identified vulnerability: Vulnerability Classification and Name Description of the vulnerability Vulnerability details Remediation Suggestions Vulnerability Risk Rating (Likelihood, Impact, Overall Risk)
  • 12. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners. Security as a Service http://www.imaginea.com reachus@imaginea.com