Our customized threat modeling identifies vulnerabilities within your security posture that puts your most valuable organizational and client data — the crown jewels — at risk.
Our security audits and vulnerability assessments are based on industry standards and best practices to assess weaknesses in your cloud environment and network, as well as mobile and web-based apps.
Our sophisticated testing services delve into your network, smart devices and other systems to expose critical security deficiencies.
A web application vulnerability assessment will reveal coding weaknesses, insecure storage of secrets, potential privacy issues, and other security vulnerabilities that could result in a data breach or server compromise.
It doesn't matter what platform your web app is written in - we've worked on everything from NodeJS, React, PHP, .Net, Java, Wordpress, Drupal, among many others. We look for common development mistakes and then work with your developers so they can fix the issues.
Whether you developed your app in house or through an external agency, do you know how securely it was written? Sure, most new frameworks include some controls, but did your developers understand and follow each one? How many legacy apps do you have that you're afraid to touch for fear of breaking them? How confident are you that these apps have been hardened against security attacks?
Many developers think of application security in terms of how they expect users to interact with the system. But what happens when a hacker throws unexpected data at your app, or finds a way to bypass your existing controls? Hackers can exploit defects in your code to exfiltrate or modify customer data, abuse business logic flaws, vandalize your site with offensive content, or even break into your servers and network!
We begin by interacting with your application as it was intended to get a feel for the application workflow, external integration points, and areas of potential weakness. All network traffic to and from the application are captured and inspected looking for clear-text secrets, API integrations, and hidden functionality. We spider your application and attempt to discover hidden/unlinked files, then run your application through an extensive combination of manual and automated attacks according to the OWASP Top Ten vulnerability project.
We even provide proof-of-concept attacks for key vulnerabilities to demonstrate the risk associated with the weaknesses and to help provide management with additional context for prioritization and remediation.
Learn how we've helped our valued clients improve their security posture and mitigate risk through web app vulnerability assessments.
We discovered a SQL injection vulnerability that would have allowed hackers to dump an organization's customer data, take control of the server, and pivot throughout the internal network.
We found a flaw in the user provisioning of a social media site that allowed any user to acquire administrative rights over the site and all customer personal information. We worked with the organization to fix the code before the vulnerability made it to the live site.
We discovered a zero-day remote code execution in a popular insurance industry platform that would have allowed hackers to take control of the server and access all sensitive data processed in the system. We responsibly disclosed the vulnerability to the vendor so a fix could be provided to all customers.
We exploited a weakness in a nationwide lighting control system that allowed us to remotely operate parking lot and street lights over an unauthenticated Internet connection.
We abused a server misconfiguration to obtain all API keys for an application, including integration with external payment systems. Using this information, a hacker could have obtained free products or initiated refunds for products they never purchased!
Our consultants know how to attack your web apps to exploit even the most difficult to find bugs. Our web app testers also have development experience which makes them excel at thinking like a developer to predict where flaws are most likely to be found. We've developed a rigorous methodology and created a powerful web application interception lab that allows us to inspect and modify every packet that's transmitted between the client and server.
Contact us to discuss your web app security project today. We'd welcome the opportunity to help you achieve your information security goals.
Check out our blog to get the latest infosec how-to articles, best practices and strategies written by our offensive security experts. Cyber crime isn't going anywhere, so stay informed and on top of it!
Are you wondering how to get started with embedded device security testing and what tools are needed for hardware hacking? Whether you are trying to reverse engineer and hack an embedded system or are looking to make modifications to an IoT device, part one of our Hardware Hacking Lab series will introduce you to some of the physical tools we rely on most to perform our smart device security assessments. Look for additional posts later that will walk through the hardware and software tools needed to get started.
The recent wave of WannaCry ransomware attacks has shed a lot of public light on the Windows SMB remote code execution vulnerability patched by MS17-010 and has fortunately resulted in organizations applying the security update to prevent further infections. While much of the focus has been on patching desktops and servers, it’s easy for many organizations to continue to neglect devices running the Windows Embedded 7 OS.
The level of knowledge sharing that takes place within infosec is amazing! Many security researchers take time to publish their scripts, tips, successes, and failures on Twitter for all to see, so as a security professional, it’s important to learn how to effectively use Twitter to hone your craft.
Red teamers can learn new tactics, techniques, and procedures (TTPs) by following other red teamers. Blue teamers can learn new detections or preventative controls published by other blue teamers.
You might not know how at-risk your security posture is until somebody breaks in . . . and the consequences of a break in could be big. Don't let small fractures in your security protocols lead to a breach. We'll act like a hacker and confirm where you're most vulnerable. As your adversarial allies, we'll work with you to proactively protect your assets. Schedule a consultation with our Principal Security Consultant to discuss your project goals today.
© 2020 FRACTURE LABS, LLC ALL RIGHTS RESERVED