Web APPs & APIs

Web applications are critical for modern businesses but pose significant risks. Enfoa’s Web Application Penetration Testing thoroughly evaluates your web apps’ security, identifying exploitable vulnerabilities. Using advanced methodologies, we simulate real-world attacks to ensure no vulnerability is overlooked.

On the other hand, Application Programming Interfaces (APIs) are fundamental for enabling seamless communication between different software components. However, they can also expose vulnerabilities that may be exploited to compromise the integrity of your systems and data. Our API Penetration Testing service aims to assess the security of your APIs and ensure they adhere to industry best practices.

Public Reconnaissance

• Perform a Google Dorks search
• Perform OSINT

Fingerprinting Web Server

• Find the type of Web Server
• Find the version details of the Web Server

Looking For Metafiles

• View the robots.txt file
• View the sitemap.xml file
• View the humans.txt file
• View the security.txt file

Enumerating Web Server’s Applications

• Enumerating with Nmap
• Enumerating with Netcat
• Perform a DNS lookup
• Perform a Reverse DNS lookup

Review The Web Contents

• Inspect the page source for sensitive info
• Try to find sensitive Javascript codes
• Try to find any keys
• Make sure the autocomplete is disabled

Identifying Application’s Entry Points

• Identify what the methods used are
• Identify where the methods used are
• Identify the injection point

Fingerprint Web Application Framework

• View URL extensions
• View HTML source code
• View the cookie parameter
• View the HTTP headers

Map Application Architecture

• Map the overall site structure

Network Configuration

• Check the network configuration
• Check for default settings
• Check for default credentials

Application Configuration

• Ensure only required modules are used
• Ensure unwanted modules are disabled
• Check how the application is handling 4xx & 5xx errors
• Check for the privilege required to run
• Check logs for sensitive info

File Extension Handling

• Ensure the server won’t return sensitive extensions
• Ensure the server won’t accept malicious extensions
• Test for file upload vulnerabilities

Review Backup & Unreferenced Files

• Ensure unreferenced files don’t contain any sensitive info
• Ensure the naming of old and new backup files
• Check the functionality of unreferenced pages

Enumerate Infrastructure & Admin Interfaces

• Try to find the infrastructure interface
• Try to find the admin interface
• Identify the hidden admin functionalities

HTTP Methods

• Discover the supported methods
• Ensure the PUT method is disabled
• Ensure the OPTIONS method is disabled
• Test access control bypass
• Test for XST attacks
• Test for HTTP method overriding

HSTS

• Ensure HSTS is enabled

RIA Cross Domain Policy

• Check for Adobe’s cross domain policy
• Ensure it has the least privilege

File Permissions

• Ensure the permissions for sensitive files
• Test for directory enumeration

Subdomain Takeover

• Test DNS, A, and CNAME records for subdomain takeover
• Test NS records for subdomain takeover
• Test 404 response for subdomain takeover

Cloud Storage

• Check the sensitive paths of AWS
• Check the sensitive paths of Google Cloud
• Check the sensitive paths of Azure

Role Definitions

• Test for Forced Browsing
• Test for IDOR (Insecure Direct Object Reference)
• Test for parameter tampering
• Ensure low-privilege users can’t able to access high-privilege resources

User Registration Process

• Ensure the same user or identity can’t register again and again
• Ensure the registrations are verified
• Ensure disposable email addresses are rejected
• Check what proof is required for successful registration

Account Provisioning Process

• Check the verification for the provisioning process
• Check the verification for the de-provisioning process
• Check the provisioning rights for an admin user to other users
• Check whether a user can de-provision themself or not
• Check for the resources of a de-provisioned user

Account Enumeration

• Check the response when a valid username and password entered
• Check the response when a valid username and an invalid password entered
• Check the response when an invalid username and password entered
• Ensure the rate-limiting functionality is enabled in username and password fields

Weak Username Policy

• Check the response for both valid and invalid usernames
• Check for username enumeration

Unencrypted Channel

• Check for the HTTP login page
• Check for the HTTP register or sign-in page
• Check for HTTP forgot password page
• Check for HTTP change password
• Check for resources on HTTP after logout
• Test for forced browsing to HTTP pages

Default Credentials

• Test with default credentials
• Test organization name as credentials
• Test for response manipulation
• Test for the default username and a blank password
• Review the page source for credentials

Weak Lockout Mechanism

• Ensure the account has been locked after 3-5 incorrect attempts
• Ensure the system accepts only the valid Captcha
• Ensure the system rejects the invalid Captcha
• Ensure the Captcha code is regenerated after reloading
• Ensure Captcha reloads after entering the wrong code
• Ensure the user has a recovery option for a lockout account

Bypassing Authentication Schema

• Test forced browsing directly to the internal dashboard without login
• Test for session ID prediction
• Test for authentication parameter tampering
• Test for SQL injection on the login page
• Test to gain access with the help of session ID
• Test multiple logins allowed or not

Vulnerable Remember Password

• Ensure that the stored password is encrypted
• Ensure that the stored password is on the server-side

Browser Cache Weakness

• Ensure proper cache control is set on sensitive pages
• Ensure no sensitive data is stored in the browser cache storage

Weak Password Policy

• Ensure the password policy is set to strong
• Check for password reusability
• Check that the user is prevented from using his username as a password
• Check for the usage of common weak passwords
• Check the minimum password length to be set
• Check the maximum password length to be set

Weak Security Questions

• Check for the complexity of the questions
• Check for brute-forcing

Weak Password Reset Function

• Check what information is required to reset the password
• Check for password reset function with HTTP
• Test the randomness of the password reset tokens
• Test the uniqueness of the password reset tokens
• Test for rate limiting on password reset tokens
• Ensure the token must expire after being used
• Ensure the token must expire after not being used for a long time

Weak Password Change Function

• Check if the old password asked to make a change
• Check for the uniqueness of the forgotten password
• Check for blank password change
• Check for password change function with HTTP
• Ensure the old password is not displayed after changed
• Ensure the other sessions got destroyed after the password change

Weak Authentication In Alternative Channel

• Test authentication on the desktop browsers
• Test authentication on the mobile browsers
• Test authentication in a different country
• Test authentication in a different language
• Test authentication on desktop applications
• Test authentication on mobile applications

Directory Traversal File Include

• Identify the injection point on the URL
• Test for Local File Inclusion
• Test for Remote File Inclusion
• Test Traversal on the URL parameter
• Test Traversal on the cookie parameter

Traversal With Encoding

• Test Traversal with Base64 encoding
• Test Traversal with URL encoding
• Test Traversal with ASCII encoding
• Test Traversal with HTML encoding
• Test Traversal with Hex encoding
• Test Traversal with Binary encoding
• Test Traversal with Octal encoding
• Test Traversal with Gzip encoding

Traversal With Different OS Schemes

• Test Traversal with Unix schemes
• Test Traversal with Windows schemes
• Test Traversal with Mac schemes

Other Encoding Techniques

• Test Traversal with Double encoding
• Test Traversal with all characters encode
• Test Traversal with only special characters encode

Authorization Schema Bypass

• Test for Horizontal authorization schema bypass
• Test for Vertical authorization schema bypass
• Test override the target with custom headers

Privilege Escalation

• Identify the injection point
• Test for bypassing the security measures
• Test for forced browsing
• Test for IDOR
• Test for parameter tampering to high privileged user

Insecure Direct Object Reference

• Test to change the ID parameter
• Test to add parameters at the endpoints
• Test for HTTP parameter pollution
• Test by adding an extension at the end
• Test with outdated API versions
• Test by wrapping the ID with an array
• Test by wrapping the ID with a JSON object
• Test for JSON parameter pollution
• Test by changing the case
• Test for path traversal
• Test by changing words
• Test by changing methods

Session Management Schema

• Ensure all Set-Cookie directives are secure
• Ensure no cookie operation takes place over an unencrypted channel
• Ensure the cookie can’t be forced over an unencrypted channel
• Ensure the HTTPOnly flag is enabled
• Check if any cookies are persistent
• Check for session cookies and cookie expiration date/time
• Check for session fixation
• Check for concurrent login
• Check for session after logout
• Check for the session after closing the browser
• Try decoding cookies (Base64, Hex, URL, etc.)

Cookie Attributes

• Ensure the cookie must be set with the secure attribute
• Ensure the cookie must be set with the path attribute
• Ensure the cookie must have the HttpOnly flag

Session Fixation

• Ensure new cookies have been issued upon a successful authentication
• Test manipulating the cookies

Exposed Session Variables

• Test for encryption
• Test for GET and POST vulnerabilities
• Test if the GET request incorporating the session ID used
• Test by interchanging POST with GET method

Back Refresh Attack

• Test after password change
• Test after logout

Cross-Site Request Forgery

• Check if the token is validated on the server side or not
• Check if the token is validated for full or partial length
• Check by comparing the CSRF tokens for multiple dummy accounts
• Check CSRF by interchanging POST with the GET method
• Check CSRF by removing the CSRF token parameter
• Check CSRF by removing the CSRF token and using a blank parameter
• Check CSRF by using unused tokens
• Check CSRF by replacing the CSRF token with its own values
• Check CSRF by changing the content type to form-multipart
• Check CSRF by changing or deleting some characters of the CSRF token
• Check CSRF by changing the referrer to Referrer
• Check CSRF by changing the host values
• Check CSRF alongside clickjacking

Logout Functionality

• Check the logout function on different pages
• Check for the visibility of the logout button
• Ensure that after logout the session was ended
• Ensure that after logout we can’t able to access the dashboard by pressing the back button
• Ensure proper session timeout has been set

Session Timeout

• Ensure there is a session timeout exists
• Ensure that after the timeout, all of the tokens are destroyed

Session Puzzling

• Identify all the session variables
• Try to break the logical flow of the session generation

Session Hijacking

• Test session hijacking on target that doesn’t have HSTS enabled
• Test by login with the help of captured cookies

Reflected Cross-Site Scripting

• Ensure these characters are filtered ‘<>’’&”””
• Test with a character escape sequence
• Test by replacing ‘<‘ and ‘>’ with HTML entities ‘<‘ and ‘>’
• Test payload with both lower and upper case
• Test to break firewall regex by new line ‘/r/n’
• Test with double encoding
• Test with recursive filters
• Test injecting anchor tags without whitespace
• Test by replacing whitespace with bullets
• Test by changing HTTP methods

Stored Cross-Site Scripting

• Identify stored input parameters that will reflect on the client-side
• Look for input parameters on the profile page
• Look for input parameters on the shopping cart page
• Look for input parameters on the file upload page
• Look for input parameters on the settings page
• Look for input parameters on the forum, comment page
• Test uploading a file with XSS payload as its file name
• Test with HTML tags

HTTP Parameter Pollution

• Identify the backend server and parsing method used
• Try to access the injection point
• Try to bypass the input filters using HTTP Parameter Pollution

SQL Injection

• Test SQL Injection on authentication forms
• Test SQL Injection on the search bar
• Test SQL Injection on editable characteristics
• Try to find SQL keywords or entry point detections
• Try to inject SQL queries
• Use Google dorks to find the SQL keywords
• Try GET-based SQL injection
• Try POST-based SQL injection
• Try COOKIE-based SQL injection
• Try HEADER-based SQL injection
• Try SQL Injection with null bytes before the SQL query
• Try SQL Injection with URL encoding
• Try SQL Injection with both lower and upper cases
• Try SQL Injection with SQL Tamper scripts
• Try SQL Injection with SQL Time delay payloads
• Try SQL Injection with SQL Conditional delays
• Try SQL Injection with Boolean-based SQL
• Try SQL Injection with Time based SQL

LDAP Injection

• Use LDAP search filters
• Try LDAP Injection for access control bypass

XML Injection

• Check if the application is using XML for processing
• Identify the XML injection point by XML metacharacter
• Construct XSS payload on top of XML

Server Side Includes

• Use Google dorks to find the SSI
• Construct RCE on top of SSI
• Construct other injections on top of SSI
• Test Injecting SSI on login pages, header fields, referrer, etc

XPATH Injection

• Identify the XPATH injection point
• Test for XPATH injection

IMAP SMTP Injection

• Identify IMAP SMTP injection point
• Understand the data flow
• Understand the deployment structure of the system
• Assess the injection impact

Local File Inclusion

• Look for LFI keywords
• Try to change the local path
• Use the LFI payload list
• Test LFI by adding a null byte at the end

Remote File Inclusion

• Look for RFI keywords
• Try to change the remote path
• Use the RFI payload list

Command Injection

• Identify the injection points
• Look for Command injection keywords
• Test command injection using different delimiters
• Test command injection with payload list
• Test command injection with different OS commands

Format String Injection

• Identify the injection points
• Use different format parameters as payloads
• Assess the injection impact

Host Header Injection

• Test for HHI by changing the real Host parameter
• Test for HHI by adding X-Forwarded Host parameter
• Test for HHI by swapping the real Host and X-Forwarded Host parameter
• Test for HHI by adding two Host parameters
• Test for HHI by adding the target values in front of the original values
• Test for HHI by adding the target with a slash after the original values
• Test for HHI with other injections on the Host parameter
• Test for HHI by password reset poisoning

Server-Side Request Forgery

• Look for SSRF keywords
• Search for SSRF keywords only under the request header and body
• Identify the Injection points
• Test if the Injection points are exploitable
• Assess the injection impact

Server Side Template Injection

• Identify the Template injection vulnerability points
• Identify the Templating engine
• Use the tplmap to exploit

Improper Error Handling

• Identify the error output
• Analyze the different outputs returned
• Look for common error-handling flaws
• Test error handling by modifying the URL parameter
• Test error handling by uploading unrecognized file formats
• Test error handling by entering unrecognized inputs
• Test error handling by making all possible errors

Weak Transport Layer Security

• Test for DROWN weakness on SSLv2 protocol
• Test for POODLE weakness on SSLv3 protocol
• Test for BEAST weakness on TLSv1.0 protocol
• Test for FREAK weakness on export cipher suites
• Test for Null ciphers
• Test for NOMORE weakness on RC4
• Test for LUCKY 13 weakness on CBC mode ciphers
• Test for CRIME weakness on TLS compression
• Test for LOGJAM on DHE keys
• Ensure the digital certificates should have at least 2048 bits of key length
• Ensure the digital certificates should have at least a SHA-256 signature algorithm
• Ensure the digital certificates should not use MDF and SHA-1
• Ensure the validity of the digital certificate
• Ensure the minimum key length requirements
• Look for weak cipher suites

Business Logic

• Identify the logic of how the application works
• Identify the functionality of all the buttons
• Test by changing the numerical values into high or negative values
• Test by changing the quantity
• Test by modifying the payments
• Test for parameter tampering

Malicious File Upload

• Test malicious file upload by uploading malicious files
• Test malicious file upload by putting your IP address on the file name
• Test malicious file upload by right-to-left override
• Test malicious file upload by encoded file name
• Test malicious file upload by XSS payload on the file name
• Test malicious file upload by RCE payload on the file name
• Test malicious file upload by LFI payload on the file name
• Test malicious file upload by RFI payload on the file name
• Test malicious file upload by SQL payload on the file name
• Test malicious file upload by other injections on the file name
• Test malicious file upload by Inserting the payload inside of an image
• Test malicious file upload by uploading large files (leads to DoS)

DOM Based Cross Site Scripting

• Try to identify DOM sinks
• Build payloads to that DOM sink type

URL Redirect

• Look for URL redirect parameters
• Test for URL redirection on domain parameters
• Test for URL redirection by using a payload list
• Test for URL redirection by using a whitelisted word at the end
• Test for URL redirection by creating a new subdomain with the same as the target
• Test for URL redirection by XSS
• Test for URL redirection by profile URL flaw

Cross Origin Resource Sharing

• Look for “Access-Control-Allow-Origin” on the response
• Use the CORS HTML exploit code for further exploitation

Clickjacking

• Ensure “X-Frame-Options” headers are enabled
• Exploit with iframe HTML code for PoC

No-Rate Limiting

• Ensure rate limiting is enabled
• Try to bypass rate limiting by changing the case of the endpoints
• Try to bypass rate limiting by adding ‘/” at the end of the URL
• Try to bypass rate limiting by adding HTTP headers
• Try to bypass rate limiting by adding HTTP headers twice
• Try to bypass rate limiting by adding Origin headers
• Try to bypass rate limiting by IP rotation
• Try to bypass rate limiting by using null bytes at the end
• Try to bypass rate limiting by using race conditions

EXIF Geodata

• Ensure the website is striping the geodata
• Test with EXIF checker

SPF

• Ensure the website is having SPF record
• Test SPF by nslookup command

Weak 2FA

• Try to bypass 2FA by using poor session management
• Try to bypass 2FA via the OAuth mechanism
• Try to bypass 2FA via brute-forcing
• Try to bypass 2FA via response manipulation
• Try to bypass 2FA by using activation links to login
• Try to bypass 2FA by using status code manipulation
• Try to bypass 2FA by changing the email or password
• Try to bypass 2FA by using a null or empty entry
• Try to bypass 2FA by changing the boolean into false
• Try to bypass 2FA by removing the 2FA parameter on the request

Weak OTP Implementation

• Try to bypass OTP by entering the old OTP
• Try to bypass OTP by brute-forcing
• Try to bypass OTP by using a null or empty entry
• Try to bypass OTP by response manipulation
• Try to bypass OTP by status code manipulation

API Security

• Check the strength of the authentication mechanisms used by the API, such as passwords, tokens, or API keys
• Verify if the API uses secure transport protocols such as HTTPS
• Ensure that the API access controls are implemented correctly and if unauthorized access is restricted
• Check the API implements a proper password policy
• Verify if the API uses rate-limiting to prevent brute-force attacks
• Ensure that all API input parameters are validated on the server and client sides
• Check that the API is not vulnerable to common Injection attacks like SQL injection, NoSQL injection, or LDAP injection
• Verify if the API accepts only the expected data formats and rejects unexpected formats
• Ensure that the API provides meaningful error messages to the client
• Check that the API does not leak sensitive information such as system details, stack traces, or error codes
• Verify if the API logs all the incoming requests, errors, and responses
• Ensure if API sensitive data is encrypted both in transit and at rest.
• Check if the API follows the principle of least privilege and ensures that users can access only the necessary data.
• Verify if the API implements proper data validation and sanitization to prevent data tampering or exposure
• Verify if the API uses secure session management mechanisms such as tokenization or session IDs
• Check if the session tokens are invalidated after a certain period of inactivity or logout
• Verify if the API is vulnerable to common business logic flaws such as unauthorized access, privilege escalation, or transaction manipulation
• Check if the API performs proper access controls and validations for all user actions
• Check if the API is integrated with any third-party services or libraries and if they are up-to-date and secure
• Verify if the API performs proper input validation and sanitization for third-party data

External Network

Enfoa’s External Network Penetration Testing systematically identifies vulnerabilities in your internet-facing infrastructure. We assess your public systems, including servers, web applications, APIs, and network devices, using advanced techniques to uncover potential entry points for unauthorized access.

We analyze and assess the security posture of your public-facing systems, including servers, Web applications, APIs, and network devices. We uncover potential entry points for unauthorized access using a combination of advanced techniques.

Our experts deeply analyse your network infrastructure to identify and exploit misconfigurations and security vulnerabilities. We help you secure your network against external threats by simulating various attack scenarios.

• The topology of virtualization systems will be audited
• The operating system update of virtualization host servers will be checked
• Services running on virtualization host servers will be audited
• Virtualization management software/software operating system and software on it will be checked for up-to-date
• Database and application servers running on virtualization management servers will be audited
• The topological location of DNS servers will be examined
• The records in the domain configuration of the DNS Server will be tried to be revealed.
• Zone transfer will be attempted over the server
• Information will be obtained through NXT and NSEC resource records
• DNS queries will be made, and servers located in the customer institution area will be tried to be determined
• An attempt will be made to perform cache poisoning for DNS servers
• Resource record entries on DNS servers will be examined
• The version information of DNS servers will be tried to be obtained
• It will be examined whether a service other than DNS runs on the servers
• Allowed ports for DNS servers will be examined in the firewall
• DNS servers will be subject to security analysis
• The vulnerabilities of the software providing the DNS service will be investigated.
• The topological location of e-mail servers will be examined
• Weaknesses of virus scanner gateways will be analyzed
• The exploitation of services running on servers other than e-mail will be reviewed
• The reliability of the authentication method on the e-mail server will be examined
• Possible vulnerabilities in libraries used by e-mail content controllers, anti-virus gateways, and spam filters will be examined.
• The router authentication mechanism will be checked
• It will be analyzed whether the routing is affected by exploiting the active network protocols on the router.
• Services running on the router will be audited
• Password storage mechanisms on the router will be audited
• The vulnerabilities of the operating system of the router will be investigated. The applicability of the identified vulnerabilities will be tested
• The router remote management mechanism will be audited
• The firewall event recording mechanism will be audited
• The platform’s vulnerabilities on which the firewall is running will be investigated. The applicability of the identified vulnerabilities will be tested
• The general configuration settings of the firewall will be checked
• VPN configuration compliance will be checked
• The security levels of the keys used in the VPN system will be checked. It will be determined how securely these keys are stored
• Without any intervention in the VPN system, the outgoing packets will be examined and tested to determine whether any information can be reached
• The reliability of the encryption algorithms used will be analyzed
• The platform on which the intrusion detection system is running will be audited
• Version controls of the software of intrusion detection system components will be made
• Intrusion signatures of intrusion detection system components will be audited
• The intrusion detection system will be tried to be circumvented by various attack methods

Internal Network

Enfoa’s Internal Network Penetration Testing identifies and mitigates vulnerabilities within your internal network. Our Ethical Hackers perform comprehensive assessments to detect weaknesses that could be exploited by insiders or intruders who have bypassed your perimeter defenses, ensuring your internal network’s confidentiality, integrity, and availability.

At Enfoa, we prioritize the confidentiality and integrity of your data, ensuring that all Penetration Testing activities are conducted with the utmost care and adherence to industry best practices. Our Internal Network Penetration Testing service helps you build a robust defense against potential threats, securing your organization’s reputation and sensitive information.

• Analysis of different operating systems such as Windows, Linux, macOS, Unix, BSD, Mainframe
• Detailed analysis of services running on detected operating systems
• Performing MiTM-type attacks
• Weaknesses in AV, EDR, XDR, MDR detection and counter-action capabilities, detection of configuration deficiencies
• Analysis to be performed on Active Directory
• SMB, LLMNR, NTLM, etc., performing types of attacks in categories
• Analysis of authentication mechanisms such as LDAP and Kerberos
• It will be determined which services for the internet are open within the corporate network
• Content filtering, firewall bypass, and information hijacking tests will be conducted over these open services
• The institution’s local network map will be determined
• Vulnerability scanning and penetration tests will be performed within the local area network
• Sensitive information will be tried to be obtained with interception techniques in the institution’s local network
• In light of the information obtained, attacks against user computers and server systems will be hijacked
• More critical information will be tried to be reached through the seized servers and user computers
• The topology of virtualization systems will be audited
• The operating system update of virtualization host servers will be checked
• Services running on virtualization host servers will be audited
• Virtualization management software/software operating system and software on it will be checked for up-to-date
• Database and application servers running on virtualization management servers will be audited
• It will be checked whether the current system and security patches that will not disrupt the system’s functionality are applied
• The database server’s password assignment, change policy, and user account security settings will be examined
• The database server will be examined to determine whether the audit mechanism is active
• The default values will be checked with the database installation and assigned to the users
• It will be checked whether remote access to database servers is secure
• The place of wireless network devices used in the institution in the general architecture will be examined
• Wireless networks in the institution will be scanned, and their features will be tried to be discovered
• It will be examined whether there is MAC address-based filtering in wireless networks.
• Encryption settings used in wireless networks will be examined
• In networks using WEP and WPA/WPA2 encryption, the wireless network password will be tried to be captured
• By creating fake wireless network access points, the clients in the institution will be tried to be captured
• By scanning the wireless network, other wireless networks around the institution will be tried to be discovered

 Cloud Assessments

Evaluate the effectiveness of your current cloud security defenses and controls. Leveraging expertise across leading cloud platforms, our service is customized to address the specific needs of your organization’s cloud-hosted resources.

Amazon AWS

AWS Penetration Testing is a targeted service designed to uncover and address vulnerabilities within Amazon AWS Cloud infrastructures. Although Amazon offers secure tools for cloud configuration, the responsibility for maintaining the security and stability of your environment lies with you. Our service provides proactive measures to prevent potential breaches and helps you understand the security impacts of any changes to your AWS setup.

• AWS Identity and Access Management (IAM): Thorough assessment of user, group, role configurations, and access controls.
• IAM Access Analyzer: Evaluation of access policies to detect potential security risks.
• AWS Config: Detailed review of resource inventory, configuration history, and compliance measures.
• AWS CloudTrail: Comprehensive analysis of log configurations, data events, and AWS management events.
• AWS CloudWatch: Scrutiny of AWS resource monitoring, alarms, and events.
• AWS S3 and EC2: Evaluation of AWS Simple Storage Service bucket policies and Elastic Compute Cloud instance configurations.
• AWS VPC: Analysis of default Virtual Private Cloud settings, with a focus on network security.

Microsoft Azure

Azure Penetration Testing service offers a detailed, expert-led analysis of your Azure cloud infrastructure. We examine critical elements of your Azure environment, such as network configuration, user access, data security, and endpoint protection. Our team employs real-world cyberattack techniques to identify vulnerabilities and risks. Utilizing industry-leading methodologies like MITRE ATT&CK, OWASP for cloud-hosted applications, OSSTMM for network components, and ISSAF, we provide a comprehensive evaluation of your cloud-based assets.

• Network Security: Extensive review of Azure virtual networks, DNS security, and mitigation strategies.
• Identity Management: In-depth evaluation of Azure Active Directory configurations and authentication mechanisms.
• Data Protection: Assessment of data protection at rest, in transit, and associated controls.
• Logging and Threat Detection: Analysis of Azure’s threat detection capabilities and audit log settings.
• Incident Response: Examination of the incident response lifecycle, leveraging Azure-specific services.
• Endpoint Security: Comprehensive review of endpoint protection mechanisms within Azure.
• Backup and Recovery: Verification of robust data backup and recovery strategies across Azure services.

Google Cloud

Google Cloud Penetration Testing provides a tailored security assessment for your Google Cloud Platform (GCP) infrastructure. This service involves a thorough examination of GCP components, such as Compute Engine, Cloud Storage, and Kubernetes Engine, using techniques that replicate real-world cyberattacks. The goal is to identify vulnerabilities, misconfigurations, and weaknesses within your cloud environment, ensuring it remains secure against cyber threats.

• Identity and Access Management: Focus on user management, role-based access control, and authentication mechanisms.
• Logging and Monitoring: Review of Google Cloud Logging and Monitoring configurations.
• Virtual Networking: Analysis of VPC networks, firewalls, and network access controls.
• Virtual Machine Instances: Security review of Compute Engine instances.
• Storage Security: Examination of Cloud Storage buckets, access controls, and encryption.
• Cloud SQL Database: Evaluation of Cloud SQL instances, including encryption and backups.
• Kubernetes Engine: Security assessment of Google Kubernetes Engine clusters, including access controls.

Oracle OCI

Oracle OCI Penetration Testing offers a comprehensive security assessment tailored for your Oracle Cloud Infrastructure (OCI). Our service is designed to identify and mitigate vulnerabilities within your OCI environment, ensuring robust security and stability. Although Oracle provides secure tools for cloud configuration, maintaining the integrity and safety of your infrastructure is your responsibility. Our proactive measures help prevent potential security breaches and allow you to understand the security implications of changes within your OCI setup.

• Identity and Access Management (IAM): Thorough evaluation of user, group, and role configurations, along with access controls.
• OCI Policies: Review of access policies to detect potential security risks and misconfigurations.
• OCI Audit: Detailed analysis of audit logs, events, and activities within your OCI environment.
• OCI Monitoring: Examination of monitoring configurations, alarms, and resource utilization.
• Compute Instances: Security assessment of OCI compute instances, including configuration and access controls.
• Object Storage: Evaluation of Oracle Cloud Object Storage bucket policies, access controls, and encryption.
• Virtual Cloud Network (VCN): Comprehensive review of VCN settings, subnets, and network security configurations.
• Database Security: In-depth analysis of Oracle Cloud databases, including encryption, backups, and access controls.
• Container Security: Assessment of OCI Container Engine for Kubernetes (OKE) clusters, focusing on security configurations and access controls.

 Mobile Applications

Mobile applications are important for businesses yet pose unique security risks. Enfoa’s Mobile Application Penetration Testing assesses your apps’ security, identifying and exploiting vulnerabilities that could expose sensitive data. We use comprehensive testing methods to simulate real-world attacks, ensuring your mobile apps are secure.

Our iOS Penetration Testing experts are well-versed in the intricacies of Apple’s ecosystem. Whether you have a business or consumer-focused app, we meticulously assess its security posture to identify and exploit vulnerabilities specific to iOS. By simulating real-world attack scenarios, we offer actionable insights and recommendations to secure your iOS applications against potential threats.

With Android’s diverse ecosystem and extensive user base, securing your Android applications is paramount. Enfoa’s Android Penetration Testing services are designed to address the unique security challenges Android apps face. Enfoa conducts comprehensive assessments, helping you secure your Android applications against cyber threats.

• Languages, Frameworks and Libraries
• Features and Components
• Entry Points
• Framework and Language Settings
• Legacy and Unreachable Code
• Manifest Configuration
• Backup Configuration
• Supported OS Versions
• Requested Permissions
• Debugging Configuration
• Memory Protection, Allocation and Randomization
• Play Integrity API
• SafetyNet Verify Apps API
• DeviceCheck
• ProGuard
• Third-party and Custom Obfuscation
• Debugging Detection and Prevention
• Code Signing
• Tampering Detection and Prevention
• Deep Links and URL Schemes
• App Links and Universal Links
• Exported Components and Permissions
• SQL Injection
• Command Injection
• Heap or Stack Based Buffer Overflows Tapjacking
• Cross Site Scripting
• Cross Site Request Forgery
• JavaScript Interfaces
• Local Content and File Access
• SafetyNet Safe Browsing API
• Content Loading Restrictions
• Improper X.509 Certificate Validation
• Weak TLS/SSL Ciphers
• TLS/SSL Key Strength
• Sensitive Information Sent via Unencrypted Channels
• Certificate Pinning
• Encryption of Sensitive Data In Transit and at Rest
• Device Keychain
• Information Leakage
• Excess Data Storage
• Logging of Sensitive Data
• Debugging Status
• Intent Security

 Secure Source Code Analysis

Secure Source Code Analysis, or Static Application Security Testing (SAST), is important to securing your software from potential vulnerabilities. Our experts carefully review your application’s source code to identify security flaws, coding errors, and possible entry points for malicious attacks. By employing industry-leading tools and methodologies, we ensure the integrity and security of your codebase.

Secure your software and protect your organization from potential security breaches with Enfoa’s Source Code Analysis service.

• Any extraneous functionality implemented in the application
• Any sensitive information used by the application
• Secrets must be accessible with proper authentication
• Untrusted input is not acceptable by the application. Validate user input by testing length, range, type, etc.
• The business logic implemented in the application needs to be validated
• Are there any backdoors for authentication for admin users?
• Check for default configurations like Access- ALL
• Data validation must be done on the server side
• Check the login page available only on the secure channel (over TLS)
• Ensure error messages do not leak any information
• Ensure username and password are not available in logs
• Check that password complexity is sufficient enough
• Check for a password expiration mechanism
• For critical applications, ensure multi-factor authentication enforce and strictly enabled
• Bruteforce preventable mechanisms (e.g., Captcha) must be employed
• Not allow the user to enter multiple guesses in Captcha after an incorrect attempt
• Ensure security checks are implemented before processing inputs
• Ensure PINs used as two-factor authentication have a short lifespan and are random
• Ensure session ID length must be at least 128 bits
• Ensure session cookies must be encrypted
• Ensure session timeout inactivity is enforced
• Ensure implementation of the session timeout mechanism
• Ensure active sessions must be warned if accessed from a different location
• Ensure the session elevation mechanism is correctly implemented
• Ensure keys or secrets are not hardcoded in the source code
• Ensure the application uses a certified implementation of cryptographic algorithms
• Ensure protection at rest mechanisms are implemented
• Implement HTTP Strict Transport Security (HSTS) for critical interfaces
• Ensure no proprietary algorithms are used without proper validation
• Source code must be properly commented on to increase readability
• Ensure the logging mechanism is implemented for critical functionality
• User and Role-based privileges must be verified thoroughly
• Ensure X-Frame-Options: deny implementation correctly
• Ensure X-XSS-Protection: 1; mode=block to mitigate XSS attack
• Ensure the application store password by using a suitable cryptographic mechanism
• Ensure notification must be triggered on the registration confirmation or forgot password functionality usage
• Ensure sensitive information is transmitted in encrypted form
• Ensure database credentials are stored in an encrypted format
• Ensure no components, such as libraries, frameworks, etc., are updated to the latest version
• Ensure all redirects/forwards are based on a whitelist instead of the blacklist
• Ensure the same-origin policy is correctly implemented
• Ensure payment-related information, such as credit card numbers, etc., must not be logged
• Ensure a generic error page is implemented on application failure
• Ensure the application changes the logging level if it detects any attack
• Check how the administrator knows that the application is under attack
• Check for a race condition
• Check for a buffer overflow vulnerability
• Check the application enforce users to change the default password on the first login
• Check application uses any elevated OS/system privileges for external connections/commands
• Check for authorization-related issues