Sectigo secure email solutions (S / MIME)

Secure your email by digitally signing and encrypting communications with our email certificates, also called personal identification certificates.

Web Vulnerabilities assessment

INFRASEG's team of ethical hackers will emulate an attack from the internet towards your web page, from multiple directions and concurrently and sequentially. Among others, you will look for:

  • General status of the installed application.
  • Review of file and directory permissions.
  • External review of the server where the website is installed and if it has the minimum security requirements in the software configuration and protocols.
  • Detection of malware installed in the application that may cause functional or reputational problems for the organization.
vulnerabilidad-web-300x156

Following this, a series of reconnaissance analyzes are carried out that consist of the following activities:

General Browsing: In a first stage, a general navigation will be carried out, as any common user would do, in order to identify possible points of interest and validate the flows to be analyzed.
Form Search: Once the points of interest have been identified, all the vectors of interaction with the user or information input within the flows defined in the scope will be identified.
Cookie Analysis: Knowing that there are applications that base the deployment of their content and authentications on the use of cookies, tools will be used to analyze cookies and generated sessions. This work will allow, in later stages, possible impersonations and injections of information.
Among other activities defined by theexperience of the team and the OWASP Testing Methodology Guide

Once the above is completed, a series of tests will be carried out, using commercial and open source tools, in order to violate the application to be evaluated. Here are some of the tests to perform in the application:

Cross-Site Scripting Cross-site scripting is a type of computer vulnerability or security hole typical of Web applications, which can allow a third party to inject JavaScript code or code in another similar language into web pages visited by the user.
SQL Injection SQL injection is a method of infiltration of intrusive code that uses a computer vulnerability present in an application at the input validation level to perform operations on a database.
Session Management Analysis Session management is one of the critical aspects of WEB security. The main objectives are:
  • Authenticated users have a robust and cryptographically secure association with their sessions.
  • Authorization checks are enforced.
  • Typical web attacks are prevented, such as session reuse, forgery and interception.
Reverse Directory Transversal A Reverse directory traversal consists of exploiting a computer vulnerability that occurs when there is insufficient security regarding the validation of a user, allowing him to access any type of superior (parent) directory without any control.
Redirect Type Attacks Web applications frequently redirect users to a login page when accessing resources that require authentication. After the user authenticates, she will be redirected to the URL she originally requested. Since the destination URL is specified in the query string of the request, a malicious user could tamper with the query string. A crafted query string could allow the site to redirect the user to a malicious external site. This technique is called an open redirect (or redirect) attack.
Manipulation of Hidden Fields Developers often rely on the contents of hidden fields, hoping that users cannot see or manipulate them. Attackers will violate these assumptions. They will examine the values written in the hidden fields and modify or replace the contents with attack data.

External Pentesting

In this service, INFRASEG consultants position themselves outside your infrastructure and start an attack on different targets that allow us to access internal resources or only affect the availability of customer services. This service simulates what a cybercriminal would do standing on the external perimeter of their platforms. The most common is to check the website, Wi-Fi networks and any part of the infrastructure exposed to the Internet.

Pentesting Internal

In this service, INFRASEG consultants position themselves inside your infrastructure and begin to analyze the environment to then carry out an attack to escalate privileges and/or obtain or "listen" information from the internal network. The purpose of our internal pentesting is to try to become super users of the platforms that we find. This service simulates an insider who can be a disgruntled employee or someone who was deliberately contacted to steal information in exchange for money or extortion.

Certainly an insider can do much more damage than many cybercriminals from the external perimeter, since they have knowledge, institution applications, credentials and permissions that are difficult to obtain from outside.

Among others we are looking for:

  • Unpatched servers and devices
  • Shared folders
  • Insecure internal Wi-Fi
  • Generic users
  • Misuse of passwords
  • Test operation of internal systems (IDS/IPS)
  • Sending sensitive information abroad, examples:
  • Credit card numbers
  • Customer information
  • Confidential documents