Website Pentest
A pentest carried out on one or more web applications.
The auditor tests the security of the various technological bricks:
- Web server security audit
- Security misconfigurations of the CMS or framework used
- Vulnerability research on components (with known exploits or 0day)
- Exploitation of TOP 10 OWASP type vulnerabilities on the web application
The audit is carried out in several phases
Passive reconnaissance (consolidation of the attack surface, information gathering)
Active reconnaissance (identification of accessible services)
Identification and exploitation of vulnerabilities
Determination of the real impact of flaws
Deliverables writing
Different penetration testing scenarios exist
Black box
Grey box
The auditor is assigned one or more accounts on the application to evaluate the permission model and test feature benefits.
White box
The auditor has as much information and access to the application and its infrastructure as possible in order to be as exhaustive as possible in the search for vulnerabilities.
In which cases to choose the intrusion test of website?
Assess the security level of a website.
Validate that the new functionalities developed or a new version of the website are in line with the standards and good practices of secure development.
Make sure there are no leaks of personal information.
Audit the permissions model between different accounts that may have different privilege levels.
Discover the adventures of Jean le pentester on a website intrusion test for a more colorful description.
Mission organization
An initiation meeting makes it possible to identify the needs and scope of the mission, as well as any constraints.
A legal mandate between the different parties is published in order to supervise DSecBypass‘s audit service.
The consultant in charge of the mission can be reached at any time during its execution and informs the customer in the event of a critical discovery.
Penetration test results
The deliverables of the mission include a report as well as two optional restitutions.
The report includes a summary of the results as well as the details of the identified vulnerabilities and recommendations.
The technical restitution is an opportunity for the consultant to present his approach and his results in an interactive way, and to discuss with the client and his teams on the action plan. Managerial restitution makes it possible to address an executive audience.