Free Evaluation
We Evaluate
You Get Report
Secure Together
Within 72 hours
Assess the security of your technology by having us as your partner in your journey to success. All evaluations are performed by the hands of our dedicated professionals. There are no robots or automatons during this entire process. We will be in touch with you throughout the whole process and will guide you to further strengthen your technology!
This one is on us.
Nick Macario
Founder of Remote.com & Outsource.com
CEO of Dock.io
We endured extreme conditions with many attacks from different angles but Sentry did an excellent job of protecting us and our community. I couldn’t speak more highly of Sentry and their team.
This free evaluation includes all checks for security controls highlighted in the list below. If you require additional checks please do not hesitate to contact us
Information Gathering
INFO-001 Search Engine Discovery and Reconnaissance for Information Leakage
INFO-002 Fingerprint Web Server
INFO-003 Review Web server Metafiles for Information Leakage
INFO-004 Enumerate Applications on Web Server
INFO-005 Review Web page Comments and Metadata for Information Leakage
INFO-006 Identify application entry points
INFO-007 Map execution paths through application
INFO-009 Fingerprint Web Application
INFO-010 Map Application Architecture
Configuration and Deployment Management Testing
CONFIG-001 Test Network/Infrastructure Configuration
CONFIG-002 Test Application Platform Configuration
CONFIG-003 Test File Extensions Handling for Sensitive Information
CONFIG-004 Backup and Unreferenced Files for Sensitive Information
CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces
CONFIG-006 Test HTTP Methods
CONFIG-007 Test HTTP Strict Transport Security
CONFIG-008 Test RIA cross-domain policy
Identity Management Testing
IDENT-001 Test Role Definitions
IDENT-002 Test User Registration Process
IDENT-003 Test Account Provisioning Process
IDENT-004 Testing for Account Enumeration and Guessable User Account
IDENT-005 Testing for Weak or unenforced username policy
IDENT-006 Test Permissions of Guest/Training Accounts
IDENT-007 Test Account Suspension/Resumption Process
Error Handling
ERR-001 Analysis of Error Codes
ERR-002 Analysis of Stack Traces
The report will detail all of the identified vulnerabilities, their risk levels according to
international standards in par with the context of your company. Along with
information on the vulnerability, how it has been exploited, and recommendations on
how the identified vulnerabilities can be mitigated, the report may also contain
additional information about particular techniques or exploits to elaborate the threat
surface and the potential damages they may cause.
Cryptography
CRYPST-001 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
CRYPST-002 Testing for Padding Oracle
CRYPST-003 Testing for Sensitive information sent via unencrypted channels
Session Management Testing
SESS-001 Testing for Bypassing Session Management Schema
SESS-002 Testing for Cookies attributes
SESS-003 Testing for Session Fixation
SESS-004 Testing for Exposed Session Variables
SESS-005 Testing for Cross-Site Request Forgery
SESS-006 Testing for logout functionality
SESS-007 Test Session Timeout
SESS-008 Testing for Session puzzling
Authentication Testing
AUTHN-001 Testing for Credentials Transported over an Encrypted Channel
AUTHN-002 Testing for default credentials
AUTHN-003 Testing for Weak lockout mechanism
AUTHN-004 Testing for bypassing authentication schema
AUTHN-005 Test remember password functionality
AUTHN-006 Testing for Browser cache weakness
AUTHN-007 Testing for Weak password policy
AUTHN-008 Testing for Weak security question/answer
AUTHN-009 Testing for weak password change or reset functionalities
AUTHN-010 Testing for Weaker authentication in alternative channel
Authorization Testing
AUTHZ-001 Testing Directory traversal/file include
AUTHZ-002 Testing for bypassing authorization schema
AUTHZ-003 Testing for Privilege Escalation
AUTHZ-004 Testing for Insecure Direct Object References
Business Logic Testing
BUSLOGIC-001 Test Business Logic Data Validation
BUSLOGIC-002 Test Ability to Forge Requests
BUSLOGIC-003 Test Integrity Checks
BUSLOGIC-004 Test for Process Timing
BUSLOGIC-005 Test Number of Times a Function Can be Used Limits
BUSLOGIC-006 Testing for the Circumvention of WorkFlows
BUSLOGIC-007 Test Defenses Against Application Mis-use
BUSLOGIC-008 Test Upload of Unexpected File Types
BUSLOGIC-009 Test Upload of Malicious Files
Data Validation Testing
INPVAL-001 Testing for Reflected Cross-Site Scripting
INPVAL-002 Testing for Stored Cross-Site Scripting
INPVAL-003 Testing for HTTP Verb Tampering
INPVAL-004 Testing for HTTP Parameter pollution
INPVAL-005 Testing for SQL Injection:
Oracle Testing
MySQL Testing
SQL Server Testing
Testing PostgreSQL
MS Access Testing
INPVAL-006 Testing for NoSQL injection
INPVAL-007 Testing for LDAP Injection
INPVAL-008 Testing for ORM Injection
INPVAL-009 Testing for XML Injection
INPVAL-010 Testing for SSI Injection
INPVAL-011 Testing for XPath Injection
INPVAL-012 IMAP/SMTP Injection:
INPVAL-013 Testing for Command Injection
INPVAL-014 Testing for Buffer overflow:
Testing for Heap overflow
Testing for Stack Overflow
Testing for Format string
INPVAL-015 Testing for incubated vulnerabilities
INPVAL-016 Testing for HTTP Splitting/Smuggling
Client Side Testing
CLIENT-001 Testing for DOM based Cross Site Scripting
CLIENT-002 Testing for JavaScript Execution
CLIENT-003 Testing for HTML Injection
CLIENT-004 Testing for Client-Side URL Redirect
CLIENT-005 Testing for CSS Injection
CLIENT-006 Testing for Client-Side Resource Manipulation
CLIENT-007 Test Cross-Origin Resource Sharing
CLIENT-008 Testing for Cross Site Flashing
CLIENT-009 Testing for Clickjacking
CLIENT-010 Testing WebSockets
CLIENT-012 Test Local Storage
After the assessment is completed, a report will be delivered containing a number of entries detailing the findings along with recommendations. These entries will include the vectors of attack which enable the organization to assess their security on multiple levels and take it a step beyond the independent assessment of technology.
Your technology will be more secure than it was before we’ve done this free evaluation.
During the evaluation, vulnerabilities are identified in information systems which could be tangible or intangible threats to the business/organization. Sentry examines any identified vulnerabilities
to determine whether they can be exploited by an attacker to compromise targeted systems, gain access to sensitive information, incapacitate IT systems, and any other harm that may come from various types of cyber attacks.
The company is heavily focused in security research and offensive innovations in order to ensure that the evaluation is done by using the same techniques and methodologies used by advanced threats in the wild. All of the tests are done in accordance with OWASP Guidelines and executed with its PTE Standard.
After the tests are completed, the delivered report will contain a number of entries on how the application/organization was compromised. These entries will include the vectors of attack which enable the organization to assess their security on multiple levels and take it a step beyond the independent assessment of technology.
The report will detail all of the identified vulnerabilities, their risk levels according to international standards in par with the context of your company. Along with information on the vulnerability, how it has been exploited, and recommendations on how the identified vulnerabilities can be mitigated, the report may also contain additional information about particular techniques or exploits to elaborate the threat surface and the potential damages they may cause.
The report classifies vulnerabilities in a five-step hierarchy: Critical Vulnerabilities – these vulnerabilities allow an attacker to compromise confidentiality, integrity, and access to information fully. An attacker is able to gain full control over a system or completely cripple critical business activities. Examples of critical vulnerabilities include Unauthorized Code Execution, SQL Injection, Buffer Overflows, etc.
High-Risk Vulnerabilities – these vulnerabilities have a significant impact on confidentiality, integrity, and access to your information, but usually do not allow for a full compromise or control of an organization. Some examples include denial of service on specific resources, cross-site scripting, path traversal, and insecure direct
object references.
Medium Risk Vulnerabilities – they are similar to high-risk vulnerabilities which allow for the unauthorized use of specific resources or systems, but they do not have a high impact on either confidentiality, integrity, or access. Some examples include weaknesses in SSL/TLS protocols, weak hashing algorithms, etc.
Low-Risk Vulnerabilities – include weaknesses which give relevant information to an attacker in order to further compromise a system. Some examples of this may be information leakage on critical applications, full path disclosure, insecure elements, etc.
Informational Vulnerabilities – these are usually missing best practices or smaller information leaks which may help an attacker further compromise a system. Some examples of these vulnerabilities include verbose or default error pages, insecure cookies, information leaks on technologies used and so on.
+383 (0) 49 686 668
[email protected]