• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Compliance: NIST 800-171
    • MARS-E Assessment
    • P2PE Certification
    • PA DSS Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Newsletters
    • Blog
  • Contact Us

Penetration Testing

Request DatasheetRequest QuoteRequest Demo
You are here: Home / Services / Penetration Testing

Application and Network Level Penetration Testing

ControlCase offers application and network level penetration testing performed through the best tools and verified manually by security experts. This process reduces the number of false positives in the findings. We automate this process and can provide continuous and periodic (monthly, quarterly, annual) scans.

The findings are automatically available on a centralized IT GRC portal for tracking compliance at any time.

External Penetration testing (Network Layer)

ControlCase conducts network scan for clients at a predefined interval. Once appropriate IP addresses are captured, the system will be set up to perform scans every quarter upon verification that the same internet IP addresses are used.

ControlCase will further attempt to exploit any vulnerability found by the network scan to eliminate any false positives. This would be performed after any known vulnerabilities are mitigated.

External Penetration testing (Application Layer)

ControlCase assesses the application for known application vulnerabilities. Assessment techniques include:

  • Parameter Tampering – Query strings, POST parameters, and hidden fields are modified in an attempt to gain unauthorized access to data or functionality.
  • Cookie Poisoning – Data sent in cookies is modified to test application response to receiving unexpected cookie values
  • Session hijacking – ControlCase attempts to take over a session established by another user to assume the privileges of that user.
  • User privilege escalation – ControlCase attempts to gain unauthorized access to administrator or other users’ privileges.
  • Credential manipulation – ControlCase modifies identification and authorization credentials in an attempt to gain unauthorized access to other users’ privileges.
  • Forceful Browsing – Misconfigured web servers will send any file to a user, as long as the user knows the file name and the file is not protected. Therefore, a hacker may exploit this security hole, and “jump” directly to pages.
  • Backdoors and Debug Options – Many applications contain code left by developers for debugging purposes. Debugging code typically runs with a higher level of access, making it a target for potential exploitation. Application developers may leave backdoors in their code. These backdoors, if discovered, could potentially allow an intruder to gain additional level of access.
  • Configuration Subversion – Misconfiguring web servers and application servers is a very common mistake. The most common misconfiguration is one that permits directory browsing. Hackers can utilize this feature in order to browse the application’s directories (such as cgi-bin/) by simply typing in the directory name.
  • Input validation bypass – Client side validation routines and bounds-checking are removed to ensure controls are implemented on the server.
  • SQL injection – Specially crafted SQL commands are submitted in input fields to validate input type controls.
  • Cross-site scripting – Active content is submitted to the application in an attempt to cause a user’s web browser to execute unauthorized code. This test is meant to validate user input type controls. ControlCase employs the use of automated and manual application testing tools and techniques. Automated tools identify vulnerabilities based on signatures or common vulnerabilities that are easy to identify such as cross-site scripting and SQL injection. However ControlCase recognizes that all applications are different and thorough testing requires a skilled and experienced approach. ControlCase manually explores, examines, and testes the application to identify those vulnerabilities that cannot be easily detected by automated tools.
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
12015 Lee Jackson Memorial Hwy, Suite 520, Fairfax, VA 22033

Send us a message

Call Us

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Team
  • Careers
  • Locations
  • Covid-19 Notice

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • P2PE Certification
  • PA DSS Certification
  • SOC2 Report

© ControlCase LLC 2023 | Privacy Policy | Impartiality Statement | Legal Notices