Finpay

During planning we
01.1 Gather information about the application
and business rules
01.2 Research the technology and
infrastructure in place
01.3 Agree on the testing environment and
infrastructure
01.4 Agree on the testing scope and
limitations
01.5 Agree on the required testing accounts
and data
PHASE 01: PLANNING
For each Threat discovered we:
• Gather evidence
• Write Detailed description of the issue
• Write a reproducible attack scenario (if
applicable)
• Calculate risk rating and explain
reasoning behind it
• Write customized recommendations
considering while limitations
PHASE 03: REPORTING
02.1 Mapping
• Assess which part of the application maps to
which business rule
• Discover further rules / functions by navigating
the application
• Inspect for application parameters that may
lead to attack entry points
• Gather information about the app from public
sources
• Review accessible code
02.2 Discovery
Our team checks for a wide variety of attacks
including:
• Authentication flaws and injection attacks
• Attacks that violate business rules
• Attacks that violate privacy and confidentiality
rules
• Attacks that break the intended functionality of
the application
• Technology based attacks
We also refer to the OWASP, SANS and MITRE
testing guidelines for the latest attack varieties
and checklists.
02.3 Exploitation
During exploitation we utilize the information
gathered in Planning and attempt to exploit the
vulnerabilities and produce proof of concept.