Pen-tests or penetration testing is a type of “technical cyber security audit” which represents the implementation of several scenarios of  actions of a potential hacker as close as possible to that it will be used for real hacking and penetration into the corporate IT perimeter.

The penetration test allows you to get answers to following questions:

  • how secure is your IT-infrastructure, servers, corporate CRM, ERP, BPM - systems, website, databases, storage and network data transfer stack;

  • how long does it take for a professional hacker to penetrate your network, copy or destroy financially significant data;

  • what defenses were not effective against a hacker attack and what can be done to eliminate critical vulnerabilities;

  • to what extent the available security equipment meets the requirements of international and domestic standards and the best world practices in the field of computer security - PCI DSS v3.2, NIST-800, GOST R 57580.1-2017 Bank of Russia.

The penetration test for the site (web penetration test)

 The web site is checked for vulnerabilities by testing its security against combined attack methods based on OWASP, OSSTMM methodologies, as well as best practices and recommendations of the PCI DSS standard.

  • in the process of site audit, the following actions are performed on the tested resource:

  • search for vulnerabilities in server components;

  • search for vulnerabilities in the web environment of the server;

  • check for remote execution of arbitrary code;

  • check for overflows;

  • check for injections (code injection);

  • attempts to bypass the web resource authentication system;

  • checking the web resource for XSS / CSRF vulnerabilities;

  • check for redirection to other sites and open redirects;

  • scan directories and files using brute force and “google hack”;

  • analysis of search forms, registration forms, authorization forms, etc .;

  • attacks of the class race condition;

  • password selection for admin panel and DBMS.