What is Black Box Testing?
Black box testing is the process of simulating a skilled attack, using the techniques and tools aimed to detect security vulnerabilities and exploit them.
Our experts will simulate a real attack on the application. The testing process covers a wide range of application-level vulnerabilities as defined by OWASP and WASC, targeting potentially harmful vulnerabilities in your application.
The testing process will reveal the vulnerabilities, potential exploitation damage and severity.
The detailed report you receive will include recommendations that will assist you in securing your systems and protecting your companies’ assets and integrity.
Vulnerabilities Covered
All application level vulnerabilities will be covered in the context of a Black Box test. Specifically, the testing methodologies used are OWASP and WASC, which provides full coverage over application level vulnerabilities. Some of the covered attacks:
- SQL Injection – taking control over the database
- Hidden Backdoors – used by attackers to easily infiltrate the system over and over
- Cross-site Scripting – injecting malicious code to innocent user browsers
- Cross-site Request Forgery – impersonating an innocent user and performing actions in his name
- Bypassing Authentication – taking over user and administrator accounts
- Authorization Breaches – performing unauthorized actions and accessing unauthorized information
- Bypassing Crypto – viewing confidential and private information by unauthorized people
- Open Redirects – an open door to phishing attacks and scams
- Command Injection – injecting commands to a remote server and taking over
- Forceful Browsing – bypassing restrictions and performing unauthorized actions
- Bypassing Business-Logic Restrictions – performing application-specific actions that are not authorized by the company’s regulations
- LFI/RFI – injecting malicious code to a vulnerable application
- Denial of Service – making the application unavailable to remote users
What is Gray Box testing?
Using automatic and manual tools aimed to audit a full, comprehensive Black Box test, the auditor has another tool which is accessing the system’s internal structures and code. Gray Box is a Black Box test, whereby an auditor simulates a real, skilled attacker, combined with a White Box test, where a highly experienced auditor tests for insecure code which can put the application in jeopardy.
A Gray Box test provides a full system inspection, from both the developer’s perspective and a real malicious hacker’s perspective. It provides full coverage of a wide variety of vulnerabilities and enumerating all potential risks to a given system.
Vulnerabilities Covered
Gray Box test provides a full, comprehensive test which results in a hybrid between finding vulnerabilities which are relevant for both White Box test and a Black Box test. The testing methodologies are OWASP and WASC methodologies which cover wide-range of application security vulnerabilities. Some of the covered vulnerabilities:
- SQL Injection – taking control over the database
- Hidden Backdoors – used by attackers to easily infiltrate the system over and over
- Cross-Site Scripting (XSS) – injecting malicious code into innocent user’s browsers
- Cross-Site Request Forgery (CSRF) – impersonating an innocent user and performing actions in his name
- Bypassing Authentication – taking over users and administrators accounts
- Authorization Breaches – performing unauthorized actions and accessing unauthorized information
- Bypassing Crypto – viewing of confidential and private info by unauthorized people
- Open Redirects – an open door to phishing attacks and scams
- Command Injection – injecting commands to a remote server and taking over
- Forceful Browsing – bypassing restrictions and perfoming unauthorized actions
- Bypassing Business-Logic Restrictions – performing application-specific actions that are not authorized by the company’s regulations
- LFI/RFI – injecting malicious code to a vulnerable application
- Denial of Service – making the application unavailable to remote users
What is Code Review?
Security code review is an in-depth analysis of the application’s code aimed to detect security vulnerabilities by inspecting the actual code of a given system. It is used to detect security bugs, reveal hidden backdoors in the code and reach full coverage of a given system’s vulnerabilities. The test will attempt to find weaknesses, the source of which is insufficient secure coding policies, business logic flaws, internal structures and the systems design.
Whether used to detect security bugs as a thorough alternative for a penetration test or as the means for detecting backdoors in the code, security code review is a complicated task that must be performed by a well experienced auditor. We provide exactly that.
Secure Coding Best Practices
Discovering vulnerabilities is done according to OWASP and WASC methodologies. A partial list of some of them:
- User authentication
- Authorizations
- Input validation mechanisms
- Configuration data protection
- Information confidentiality
- Information integrity
- Cryptography and key management
- Password policy
- Session management
- System administration interface protection
- Secure access to databases
- Endpoint protection for sensitive data
- Runtime error management
- Auditing & logging