Companies involved in fighting the
pandemic quickly became high-value
targets for cybercriminals.
Throughout March and April 2020, we
offered these organizations free
penetration tests to help them cope with
the wave of opportunistic attacks.
This report covers our findings and
recommendations, which coincide with
the vulnerability categories we frequently
see in our offensive security research.
Helping companies
fight COVID-19.
Safely.
Top 3 security
issues we found
What free website
pentests reveal about their
security challenges
ENABLING DEFENDERS TO
PROTECT WHAT TRULY MATTERS
Q3 2020 EARNING
Security misconfigurations
Outdated software components
Information disclosure risks
1.
2.
3.
COMPANIES
16
INDUSTRIES
7
SECURITY ISSUES
93
OWASP TOP 10
5
COUNTRIES
11

We helped IT and security professionals by independently
evaluating and prioritizing the vulnerabilities in their
websites - which people rely on to get help and
information.
Companies that qualified for the program operate in
industries such as IT&C, Information security, Education,
Software, Travel, and Agriculture.
Security needs to be a
business enabler.
We discovered
Based on prioritized vulnerabilities
and remediation info, 16 companies
can now operate more safely.
Common issues found
cover 5 security risks
from OWASP Top 10 Q3 2020 EARNING
Injection
Broken Authentication
Sensitive Data Exposure
Broken Access Control
Security Misconfiguration
SECURITY
MISCONFIGS
56 12
17
/ /
OUTDATED SOFTWARE
COMPONENTS
INFORMATION
DISCLOSURE ISSUES

With more internet-exposed infrastructure than ever before, cybercriminals
have more opportunities to attack essential organizations that cannot afford
downtime. That's why those involved in fighting the current epidemic are
especially valuable targets for them.
Attackers often attempt to exploit unpatched flaws or access accounts with
default credentials, unused website pages, unprotected files and directories, or
old and forgotten web technologies to gain unauthorized access or system
information.
Misconfigurations are still one of
the top 5 causes for data breaches
VULNERABILITY CHAINING CAN ELEVATE THE RISK OF
COMPROMISE CAUSED BY LOWER-SEVERITY VULNERABILITIES
While they may not be high-severity risks, they
represent a threat cybercriminals can easily exploit
GET TO KNOW US
According to CVSS v2.0 Ratings.

Our job is not just to think like an attacker and
look for security issues in companies'
infrastructures. We also recommend solutions
for them.
The pentest reports we did to help
organizations providing support for people
affected by the pandemic included actionable
and detailed recommendations so they can fix
these problems and reduce their attack
surface.
RAZVAN IONESCU
HEAD OF PROFESSIONAL PENTESTING SERVICES
We looked for security misconfigurations, default accounts or
configurations, unnecessary services, insecure protocols, and many
more issues that frequently expose organizations to cyberattacks.
DISCOVER THE PLATFORM

In the 7 years since launching Pentest-Tools.com, we've
been striving to build and develop a reliable, fully fledged
penetration testing and vulnerability assessment platform.
Because we believe in making security and IT professionals'
work easier, we eat our own dog food and use it every
single day - including for the 16 companies we analyzed.
Website Scanner
URL Fuzzer
Find Domains and Find Subdomains
Subdomain takeover scanner
XSS Exploiter and SQLi Exploiter
Take a look at our
toolstack
TOOLS DON'T MAKE THE PENTESTER.
THEY MAKE THEM STRONGER.
When it comes to managed pentests, we shave hundreds of
hours on recon by using our own tools. That means we have
more time to analyze high-severity issues and recommended
solutions that make sense for the business.
SEE ALL OUR TOOLS
TCP Port Scanner and UDP Port Scanner
Burp Suite Proxy (for manual pentesting)

5 ways to avoid attacks that
interrupt your business
We're building the most effective online platform for penetration
testing and cybersecurity assessments, while helping our customers
understand the root cause of vulnerabilities and how to fix them.
Get to know us, browse our free guides, or check out our tools!
If you're looking to make a big impact with a few key actions, try applying the
80/20 rule to your security setup: 20% of your security controls will count for
80% of your security posture.
Here are the 20%: the most frequent actions we recommended organizations
that received a free penetration test - and the golden rules to guide their best
security decisions going forward.
Our motto:
Think like an attacker, act like a defender.
Use & enforce strong password
policies
Hide any sensitive information
from unauthorized users
Regularly assess the security of
your your apps & infrastructure
Don't trust users with inputting
data in your web application
Know your attack surface like
the back of your hand
Keep all your software
components up to date
Implement stronger password
policies
Implement proper access
control methods to all the web
apps' endpoints
Sanitize all users' input
KEY RECOMMENDATIONS:
GOLDEN RULES:
We built Pentest-Tools.com
to make pentesting (and security) easier,
faster, more effective, and affordable