NETSOL’s Cyber Security Team employs a comprehensive Vulnerability Assessment & Penetration Testing approach, utilizing manual and automated analysis for Web Applications, Mobile Applications, and Network Devices. Our manual research aligns with the testing guide recommended by OWASP standards, ensuring a thorough analysis of your AWS-based assets. By harnessing the power of AWS, we are able to perform in-depth security posture assessments. Our VAPT methodology is tailored for AWS environments and follows a robust delivery approach for cloud platforms, including Application Security Analysis, Network Ports & Services Discovery, Vulnerability Assessment Analysis, Automated Vulnerability Assessments, Manual Vulnerability Assessments, as well as Penetration Testing encompassing exploitation and post-exploitation activities.

Outlined below are the specific VAPT activities conducted by our team for Web Applications, Mobile Applications, and Network Devices on the AWS Cloud.

Web Applications VAPT:

• Vulnerability Assessment using Automated Testing Tools to identify OWASP’s Top 10 vulnerabilities

• Assessment of AWS-specific components, such as S3 buckets, API security, and IAM permissions

• SSL / TLS audit

    * Detection of SSL version 2 and 3 
  
    * Weak hashing algorithms 
  
    * Use of RC4 and CBC ciphers 
  
    * Logjam issue 
  
    * Sweet32 issue 
  
    * Certificate expiry 
  
    * OpenSSL ChangeCipherSec issue 
  
    * POODLE vulnerability 
  
    * OpenSSL heartbleed issue 
  
    * Lucky 13 and Beast Issue
  

• Directory Enumeration

• Sub-domain hunting

• Parameter Tampering

• OWASP Vulnerabilities Testing

    * SQL Injection (Boolean, Blind, Time-based, Error-based) 
    * Command Injection 
    * Brute Force 
    * Buffer Overflow  
    * Clickjacking 
    * XSS (Reflected, Stored, DOM) 
    * DOS (Denial-Of-Service) 
    * Session Hijacking 
    * Full Path Disclosure 
    * Sensitive Data Disclosure 
    * RCE (Remote Code Execution) 
    * File Inclusion 
    * Local File Inclusion 
    * Remote File Inclusion 
    * Path Traversal 
    * CSRF (Client-Side Request Forgery) 
    * SSRF (Server-Side Request Forgery) 
    * Business Logical Flaws 
    * Broken Authentication 
    * XXE (XML External Entities) 
    * Components with known vulnerabilities
  

• Hunt for Exploits

Mobile Applications VAPT:

• Root Detection Bypass
• SSL Pinning Bypass
• Source Code Analyses (Static Application Security Testing)
• Reverse Engineering
• Manual Testing / Dynamic Application Security Testing
• SSL / TLS audit
• Testing mobile applications built on AWS, including support for serverless backends, AWS Cognito, and AWS Amplify

Network Devices VAPT:

• Identify host details
• Identify open ports
• Identify versions and services
• Automated testing
• SSL / TLS audit
• Hunt for vulnerabilities
• Manually exploit vulnerabilities

DELIVERABLES:

Our detailed VAPT report includes:

• Vulnerability Severity (High, Medium, Low)
• Vulnerability rating
• Proof of Concept (POCs)
• Description of Vulnerabilities
• Remediation of Vulnerabilities