Group Services Code
HyperSec has nurtured what is now known
as the HyperSec Review Methodology over its many years of experience
operating in the field of IT security. The program continues to
guide highly efficient security analyses as it evolves to reflect
the rapidly changing environment in which we work. To ensure the
homogeneity of high standards across all assessments, the HyperSec
Review Methodology is embraced organization-wide.
The methodology specifies a structure for each assessment and
details objectives, approaches and tasks on a number of levels.
APPLICATION REVIEW (CODE-AUDIT).
There are many kinds of network-aware applications. The most common
type we encounter is backed by database server, and has a login
facility to validate a user who can proceed to manipulate data
through a web-based interface. Complex applications involve numerous
systems and interaction with remote servers. They may support many
concurrent user sessions. Application review is an investigation
into all aspects of the applicationís operation. We use techniques
and tools in an attempt to subvert the application into behavior
that is erroneous or insecure.
We find that applications available over the Internet frequently
harbor vulnerabilities and provide a hole through the firewall. It
is easy to make logical, design or implementation errors when
developing applications, and the more complex an application, the
greater the chance that such vulnerabilities will creep in.
Typically, the vulnerabilities that we discover provide an intruder
with the opportunity to manipulate data, crash the application or to
compromise the server.
HyperSec distinguishes two approaches used for application review.
These are summarised in the table.
Validated User Review
Usually we work with two valid user accounts to see if it is
possible to view or manipulate the other userís data. We also
try to subvert the application such that we gain unauthorised
privileges and, ultimately, access to the underlying operating
Source Access Review
Source Access Review supplements Validated User Review with a
review of the programming source code of the application. We
will also discuss the code with its developers and study design
documentation. This is the most efficient method for discovering
vulnerabilities within applications.
TABLE 1: Application Security Review
The usual starting point is a blind review, where HyperSec have no
knowledge regarding the application prior to review. All aspects of
the applicationís operation are investigated, including:
Enumerating all pages within the application (including
guessing URLs not given);
Enumerating points of input;
Use of encryption;
Use and type of authentication (including the use of
Type and bounds checks on input (including
attempting buffer overflow);
Cookies (including manipulation and spoofing of
Points of possible internal transactions.
The first procedure is generally an attempt to
circumvent authentication controls. This may involve:
Brute force testing of user IDís and passwords;
Spoofing a cookie and changing certain parameters (if
the applicationís authentication procedure is based on cookies);
Guessing URLs, in order to verify that all pages are
Studying the source code of each web page in order
to obtain information that can be utilized during latter stages of
Trying to exploit buffer overflow vulnerabilities by
leveraging lack of input validation. This usually involves type and
bounds tests (i.e. supplying different data types and excessively
The second step consists of tests performed from a
valid test user account. This is to verify that users are permitted
control only over their own data and not that of other users.
Source Access Review could be said to be the final stage. An
analysis of the code focuses on the discovery of common programmatic
hazards as well as specific design or logic errors. Artifacts sought
include buffer overflow points, input validation errors, bad coding
practices, and the use of insecure products as part of the
application. With the source code at hand the application review
becomes more efficient.
If you want to know more about our penetration testing service,
please download the requisition form and send it to
Download our Code-Audit Requisition Form.