Penetration Testing by Commit

Commit will perform server-side penetration testing on the application layer, based on the grey and blackbox methodologies, with the following elements:

• Penetration testing with one test run for up to 10 APIs on one web application
• Coverage of full OWASP Top10 security risks
• Coverage of identification of OWASP Top 10 security risks in business logic flows
• Coverage of potential organization data leakage vectors based on different privilege user level (users,admins,anonymous)
• Coverage of testing all user inputs and data passing across systems/sub-systems correctly handling the following known vulnerabilities:
  • Non-validated input (i.e. input fields shall conform to desired formats)
  • Broken access control.
  • Broken authentication and session management (i.e. account credentials and session cookies)
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Buffer overflows.
  • Injection vulnerability flaws (e. SQL injection, command injection etc);
  • Race conditions.
  • Improper error/exception handling.
  • Insecure storage.
  • Denial of service.
  • Misconfigurations and insecure configurations
    • Identifying headers that can make a hacker’s job easier of identifying your stack and software versions.
    • Usage of GET requests with sensitive data or tokens in the URL as these will be logged on servers and proxies.
    • Unproper TLS usage for the entire site, not just login forms and responses.
    • Usage of non httpOnly response
    • Usage of GET requests with sensitive data or tokens in the URL
    • Potential Path Traversal
    • Falsification of session tokens and API’s authentication mechanism