This document gives a detail stepwise gist of what Deltecs\' consultancy involves in the field of Vulnerability Assessment and Penetration Testing. It also gives a life cycle of the testing to be carried out on any web application or system. This wold give an insider information on what are principles followed by Deltecs while testing web applications.

1. Deltecs’ Services for Information Security
like
Think like a Thief to catch a Thief
|
Deltecs Infotech Pvt. Ltd
Ph: 022-28488746 | 022-28481451
Web: www.deltecs.com
Email: info@deltecs.com

2. INTRODUCTION
Deltecs Infotech Pvt. Ltd, a leader in information security and penetration testing adopts
the tests listed in the OWASP Top Ten list, as well as the class of tests provided at
OWASC.
Deltecs’ Web Application Security process is a combination of comprehensive
vulnerability detection tests. It is run on the company’s web assets, like web servers, e-
mail servers, data centers, and third party applications running on servers.
With an exhaustive database of existing vulnerabilities Deltecs has an expertise in
vulnerability detection and remediation. The daily update of the database assures the
highest level of remote vulnerability detection available. Combined with an automated
process being managed by world class security experts, this provides an unparalleled
level of network perimeter security.
Authentication
Brute Force:
A Brute Force attack is an automated process of trial and error
used to guess a person’s username, password, credit card number
or cryptographic key.
Insufficient Authentication:
Insufficient Authentication occurs when a website permits an
attacker to access sensitive content or functionality without
properly authenticate.
Weak Password Recovery:
Weak Password Recovery Validation is when a Website permits an
attacker to illegally obtain, Change or Recover another user’s
Password.
Authorization
Credentials/Session Prediction
Credentials/Session Prediction is a method of hijacking or
impersonating a website user.
Insufficient Authorization
Insufficient Authorization is when a website permits access to
sensitive content or functionality that requires increased access
control restriction.
Insufficient Session Expiration
Insufficient Session Expiration is when a website permits an
attacker to reuse old session credentials or session IDs for
authorization.
Session Fixation
Session Fixation is an attack technique that forces a user’s session
ID to an explicit value.

3. Client Side Attacks
Cross-site Scripting
Cross-site Scripting (XSS) is an attack technique that forces a
website echo attacker-supplied executable code, which loads in a
user’s browser.
Command Execution
SQL Injection
SQL Injection is an attack technique used to exploit websites that
construct SQL statements from a user-supplied input.
Information Disclosure
Directory Indexing
Automatic directory listing /indexing is a web server function that
lists all of the files within a requested directory if the normal base
file is not present.
Information Leakage
Information Leakage is when a website reveals sensitive data, such
as developer comments or error messages, which may aid an
attacker in exploiting the system.
Path Traversal
The Path Traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory.
Predictable Resource Location
Predictable Resource Location is an attack technique used to
uncover hidden website content and functionality.
Logical Attacks
Abuse of Functionality is an attack technique that uses a website‘s
own features and functionality to consume, defraud, or
circumvents access controls mechanisms.
Insufficient Anti-automation
Insufficient Anti-automation is when website permits an attacker to
automate a process that should only be performed manually.
Insufficient Process Validation
Insufficient Process Validation is when a website permits an
attacker to bypass or circumvent the intended flow control of an
application.