Category: Cyber Security

Vulnerability and Penetration Testing (VAPT) Explained An overview of VAPT, understand the benefits, and how it could improve your organisations security posture. What is Vulnerability & Penetration Testing (VAPT) Vulnerability Assessment and Penetration Testing (VAPT) leverages the combined use of automated tools and manual penetration testing to identify and exploit vulnerabilities within a target environment. VAPT is typically performed by a third-party penetration testing company and the process normally starts with vulnerability scanning to better optimise time usage, manual penetration testing is then used against the identified vulnerabilities to manually verify the results are not false positives, and potentially perform privilege escalation or a lateral movement. The Benefits of Performing VAPT Vulnerability Assessment and Penetration Testing (VAPT) provides a more comprehensive coverage of the enterprises target environment, by including automated vulnerability scanning within the security assessment processes it helps ensure more time is then spent working on the output of the vulnerability assessment. By outsourcing the VAPT part of a security assessment it allows your organisation to focus on remediation and mitigation from the final VAPT report. How Aptive Use VAPT to Meet Compliance Requirements Clients often undertake penetration tests as part of a compliance requirement or recommendation for standards such PCI DSS or ISO 27001. Aptive leverage the best in industry automated tools to reduce manual assessment time to provide a more cost-effective service with optimal environment coverage. VAPT FAQ What is VAPT? Vulnerability Assessment and Penetration Testing (VAPT) leverages the combined use of automated vulnerability scanning tools and manual penetration testing to identify and exploit vulnerabilities within a target environment. For more information about manual security assessments, see our what is pentesting resource. Why is VAPT Important? VAPT will help your organisation identify security vulnerabilities or misconfigurations that could potentially lead to breaches or other cyber attacks. What is the Scope of VAPT? Vulnerability Assessment and Penetration Testing (VAPT) consists of both a vulnerability assessment and penetration test, typically the vulnerability assessment is performed first and manual testing is then used to verify the vulnerability exists.

Directory Traversal Attack An overview of the directory traversal attack also know as a path traversal attack and commonly found in web applications, mobile apps and API’s. What is a Directory Traversal Attack? A directory traversal attack (path traversal) is a web vulnerability that allows an attacker to gain access files on your web application which they were not intended. The attack is performed manipulating the path value to escape the current directory and return files that exist outside the webroot. How are Directory Traversal Vulnerabilities Exploited? When the webserver receives this request, it appends the relative path specified by the user, ../../etc/hosts, to the directory containing the web pages, /var/www/, to get the full path /var/www/html/../../../etc/hosts. In Unix-like systems, each ../ traverses one directory back within the file system, resulting in the malicious user gaining access to the /etc/hosts file. The malicious user can use the attack to obtain sensitive information such as database credentials, password or other secrets. The vulnerability could be used to perform further system enumeration to gain enough information to combine multiple attack vectors such as LFI or RFI. How to Mitigate Path Traversal Vulnerabilities Ensure the web application and the underlying web server are configured securely and at current patch level. Implement user input whitelisting, preventing dangerous characters from being entered by the user and accepted as input by the web application will help mitigate a user entering ../ and other special characters used to attempt to traverse the file system. Ensure the web application sanitizes the file path before accepting any user supplied input. Directory Traversal Attack FAQ What is a Directory Traversal Attack? A directory traversal attack (path traversal) is a web vulnerability that allows an attacker to gain access to files on your web application outside of the webroot. Potential Risks of a Directory Traversal Attack? If successfully exploit a path traversal vulnerability could allow a potential attacker access to sensitive information; allowing for enumeration which could potentially lead to additional vulnerabilities being discovered and/or server compromise. How To Identify a Directory Traversal Attack? Typical weak areas within web application are file upload functions and other functionality which parses directory paths. Aptive’s website security audit service helps to identify and exploit path traversal vulnerabilities allowing your organisation to stay one step ahead of potentially attackers.