Our services
Penetration Testing
MobiWorks will simulate a real-world attack on your networks, applications, devices, and employees to demonstrate the security level of your high-profile systems. Knowing your vulnerabilities, and the ways in which attackers could exploit them, is one of the greatest insights you can get to improve your security program.
A web application penetration test is an in-depth penetration test on both the unauthenticated and authenticated portions of your website. The engineer will test for all of the OWASP Top-10 critical security flaws, as well as a variety of other potential vulnerabilities based on security best practice. Activities include:
- Website mapping techniques such as spidering
- Directory enumeration
- Automated and manual tests for injection flaws on all input fields
- Directory traversal testing
- Malicious file upload and remote code execution
- Password attacks and testing for vulnerabilities in the authentication mechanisms
- Session attacks, including hijacking, fixation, and spoofing attempts
- Other tests depending on specific site content and languages
- Method and parameter fuzzing
- Injection attacks, such as SQLi, XSS, XPath, Command
- Authentication bypass and privilege escalation attempts
- Authorization testing to assess the security of data in multi-tenant configurations including:
- Direct object references
- Client or user impersonation
- Authorization bypass
- Information Leakage between clients
- Analyzing headers and error messages for information disclosure
- Identification of unnecessary information returned or data leakage
- Analysis of server-level transport encryption for security best practice
An external penetration test emulates an attacker trying to break into your network from the outside. The goal of the engineer performing this assessment is to breach the perimeter and prove they have internal network access. This test includes:
- Open source reconnaissance against the organization
- Full port scan covering all TCP ports and the top 1,000 UDP ports of the targets in scope
- Full vulnerability scan of the targets
- Manual and automated exploit attempts
- Password attacks
An internal penetration test emulates an attacker on the inside of your network. This could be either an attacker who is successful in breaching the perimeter through another method or a malicious insider. The goal of the engineer in this module is to gain root and/or domain administrator level access on the network, and gain access to sensitive files. Activities include:
- Active and Passive network reconnaissance including traffic sniffing, port scanning, LDAP enumeration, SMB enumeration, etc.
- Vulnerability scan on all in-scope targets
- Spoofing attacks such as ARP cache poisoning, LLMNR/NBNS spoofing, etc.
- Manual and automated exploit attempts
- Shared resource enumeration
- Password attacks
- Pivoting attacks
A mobile application penetration test assesses the security posture of a mobile application to ensure that sensitive user data is protected, and that the application does not pose a risk to the organization or its users. The engineer will perform testing that is aligned with the OWASP Mobile Application Security Testing Guide (MASTG) to provide a comprehensive list of the vulnerabilities identified, document the exploitation performed, and offer guidance on how to mitigate these risks.
Our Mobile Application Penetration Testing includes testing of the following:
- Tampering & Reverse Engineering (Static Analysis, Dynamic Analysis, Binary Analysis)
- Network Communications (Certificate Pinning, Endpoint Identity Verification, TLS Settings)
- Platform APIs (Application Permissions, Sensitive Functionality Exposure, Custom URL Schemes, Native Method Exposure)
- Data Storage (Sensitive Data Leakage)
- Cryptography (Key Management, Verifying Cryptographic Standard Algorithms)
- Code Quality & Build Settings (Code Signing, Third-Party Library Weaknesses, Debugging, Memory Corruption, Exception Handling/Verbose Errors)
- Anti-Reversing Detection (Jailbreak/Root Detection, Obfuscation, Emulator Detection, Device Binding, Anti-Debugging)
- User Interface Testing (Authentication Bypass/Session Hijacking)
Vulnerability Management
Vulnerability assessments are used to identify, quantify, and analyze security vulnerabilities in the IT infrastructure and applications. MobiWorks uses reliable tools in conjunction with manual validation techniques to scan vulnerabilities and provide accurate, in-depth reports detailing the issues and providing steps to remediation. Vulnerability assessments can be performed on web applications, as well as internal or external-facing networks.
When conducting vulnerability assessments, we organize the detected security weaknesses into groups according to their type, severity level, etc. following the classifications below, if applicable:
- Web Application Security Consortium (WASC) Threat Classification
- Open Web Application Security Project (OWASP) Testing Guide
- OWASP Top 10 Application Security Risks
- OWASP Top 10 Mobile Risks
- Common Weakness Enumeration (CWE)
- Common Vulnerability Scoring System (CVSS)
Classifying vulnerabilities allows our team to prioritize the findings according to their likelihood of exploitation and impact, bringing attention to the most critical weaknesses that need to be addressed to avoid financial and security risks.
Strategic Consulting
Some organizations may be looking to identify vulnerabilities or opportunities for improvement within their applied configurations for network devices, security-related devices, or host operating systems.
MobiWorks can assist with reviewing/writing your organizational security policies, security awareness training, security program’s maturity roadmap, or other governance material. This approach can be tailored to specific needs, such as Application Security (AppSec), Internet of Things (IoT) or cloud environments.
Don’t see what you are looking for here? Do you have a cybersecurity challenge we can help you address with a custom consulting engagement? Please contact us and one of our security professionals will connect with you to learn more.