> Online Security Audit

Our audit is designed to use a web application as an exploitable front-end through which it can make contact with a database or web-server. This approach ensures that we don't rely on specific compatible web-servers. Hence, if an application can be viewed in any browser without installing special plug-ins, over the HTTP and HTTPS protocols, then it will be correctly audited. Ex: ASP, ASP.NET, JavaScript, AJAX, PHP, FrontPage, PERL, JRun, Ruby, Flash, ColdFusion. Audited web applications can also be hosted on a number of different web servers such as IIS, APACHE, Sun Java, and Lotus Domino.

While conducting the online security audit, several tasks are performed. Some of them, but not limited to, are:

 Version Check
o Vulnerable Web Servers
o Vulnerable Web Server Technologies – such as PHP 4.3.0 file disclosure and possible code execution.

 CGI Tester
o Checks for Web Servers Problems – Determines if dangerous HTTP methods are enabled on the web server (e.g. PUT, TRACE, DELETE)
o Verify Web Server Technologies

 Parameter Manipulation
o Cross-Site Scripting (XSS)
o SQL Injection
o Code Execution
o Directory Traversal
o File Inclusion
o Script Source Code Disclosure
o CRLF Injection / HTTP Response Splitting
o Cross Frame Scripting (XFS)
o PHP Code Injection
o XPath Injection
o Full Path Disclosure
o LDAP Injection
o Cookie Manipulation
o URL Redirection
o Application Error Message

 MultiRequest Parameter Manipulation
o Blind SQL / XPath Injection

 File Checks
o Checks for Backup Files or Directories - Looks for common files (such as logs, application traces, CVS web repositories)
o Cross Site Scripting in URI
o Checks for Script Errors

 Directory Checks
o Looks for Common Files (such as logs, traces, CVS)
o Discover Sensitive Files/Directories
o Discovers Directories with Weak Permissions
o Cross Site Scripting in Path and PHPSESSID Session Fixation.

 Web Applications
Large database of known vulnerabilities for specific web applications such as Forums, Web Portals, Collaboration Platforms, CMS Systems, E-Commerce Applications and PHP Libraries.

 Text Search
o Directory Listings
o Source Code Disclosure
o Check for Common Files
o Check for Email Addresses
o Microsoft Office Possible Sensitive Information
o Local Path Disclosure
o Error Messages

 Web Services – Parameter Manipulation
o SQL Injection / Blind SQL Injection
o Directory Traversal
o Code Execution
o XPath Injection
o Application Error Messages

A full detail audit report is generated then and sent to the client. Hoost offers a wide range of report formats:

Security Report (standard):

* Executive Summary

* Security Issues:

- Variants
- Advisories and Fix Recommendations

* Remediation Tasks

* Application Data:

- Application URLs
- Script Parameters
- Broken Links
- Comments
- Javascripts
- Cookies

Industry Standard Report (upon customer request, no additional fees):

- WASC Threat Classification
- The Payment Card Industry Data Security Standard (PCI)
- Visa's Payment Application Best Practices
- International Standard - ISO 17799
- International Standard - ISO 27001
- OWASP Top 10 2007
- OWASP Top 10 2004
- SANS Top 20 V5
- SANS Top 20 V6
- NERC CIPC Electricity Sector Security Guidelines

Regulatory Compliance Report (upon customer request, no additional fees):

Country Regulatory Compliance Report Title

California Assembly Bill No. 1950 and Senate Bill 1386
Children Online Privacy Protection Act (COPPA)
DCID 6/3 Avialability Basic
DCID 6/3 Avialability Medium
DCID 6/3 Avialability High
DCID 6/3 Confidentiality Reqs Protection Level 1
DCID 6/3 Confidentiality Reqs Protection Level 2
DCID 6/3 Confidentiality Reqs Protection Level 3
DCID 6/3 Confidentiality Reqs Protection Level 4
DCID 6/3 Confidentiality Reqs Protection Level 5
DCID 6/3 Integrity Basic
DCID 6/3 Integrity High
DCID 6/3 Integrity Medium
DCID 6/3 Security Advanced Technology IS
Electronic Funds and Transfer Act (EFTA)
Federal Information Security Mgmt. Act (FISMA)
Financial Services (GLBA)
Healthcare Services (HIPAA)
NERC Cyber Security Standards
Privacy Act of 1974
Safe Harbor
Sarbanes-Oxley Act (SOX)
The securities Act
Title 21 Code of Federal Regulations
Familiy Education Rights and Privacy Act (FERPA)
Mastercard SDP
Basel II
NIST Special Publication 800-53

Canada PIPED Act
Freedom of Information and Protection of Privacy Act (FIPPA)
Management of Information Security Technology (MITS)
EU European Directive 1995/46/EC
European Directive 2002/58/EC
Japan Japan's Personal Information Protection Act
UK Data Protection Act


You can also check this link to know how the audit is conducted and what information we require from the client before starting the work.


About us..... Privacy..... N.D.A..... Terms of use..... Agreement......Careers... ..FAQs......Contact
Copyright © 2012 Hoost Communication. All Rights Reserved.