Penetration testing and security code audit

Pakurity has many years of success in delivering cyber-security services to our clients. We have in our staff experienced penetration testers, reverse engineers and DevSecOps specialists. Our main services are:

• Penetration testing;

• Information security governance;

• Incident response;

• Security operations;

• Training.

We are located in Ukraine but work for clients in EU/US/MENA/APAC/CIS regions. We work with all clients - from small companies to big corporations. After discussing the project details we will send You an offer with a detailed description of the methodology, phases, results, and price of the project. Then we will send You a project form with calendar planning. We have a good experience in the following areas:

- WordPress, Joomla, Drupal and other CMS security;

- iOS and Android mobile application security;

- Windows / Linux desktop / thick clients security

- Distributed ledger / Blockchain / Smart-Contracts/ICO audits. In a few days we can review your smart contract and make it safe!;

- Enterprise networks (internal) penetration testing, Active Directory / AD infrastructure audit

- GCP | AWS | Kubernetes | K8 | Docker security

- Security event management | SIEM implementation / false-positive tuning

- ModSecurity | WAF implementation

- Hacked | Compromised sites incident response and cleaning

- Industrial | SCADA security

- Azure | Defender ATP | Sentinel | Intune security

We also delivering a wide set of trainings:

- Secure software development (PHP | .Net | NodeJS | Java)

- IT audit

- IT security management

 
$1,000+
 
< $25 / hr
 
2 - 9
 Founded
2014
Show all +
Kyiv, Ukraine
headquarters

Portfolio

WordPress website penetration testing Image

WordPress website penetration testing

Pakurity conducted a WordPress site penetration testing.

Customer requested to conduct a gray box testing of his WordPress based business website. The test was performed on the staging site first, and then on the production to reduce the risk of production data/web-site availability damage. Project size was 5 man-days with total duration 10 calendar days (a few days were spent to get credentials from the site

developers). The following bugs were identified: * The XSS bug was found in one of the WordPress extensions. There was also directory listing enabled (the configuration issue). The findings were reported to the customer. In two weeks we verified the bug fixes (free of charge). * The SQL injection bug was identified in the custom theme developed by the developer * XSS in the one of the WordPress extensions (which was out of date) * Directory listing was enabled in the web-server configuration * Combination of race condition and insufficient file extension validation in the CV upload section (in the career part of the web-site). It was possible to upload a php script as CV and trigger its execution before the file was deleted (after processing by the web-site business logic)
AWS infrastructure security audit Image

AWS infrastructure security audit

Pakurity conducted an AWS infrastructure security audit.

The project goal was to assess the information security level in the AWS infrastructure and supporting practices. The AWS Config Rules were used to audit the Customer’s use of AWS resources for compliance with external compliance framework such as CIS AWS Foundations Benchmark and with security policies related to the US Health Insurance Portability and

Accountability Act (HIPAA), the Federal Risk and Authorization Management Program (FedRAMP), and other regimes. The audit consisted of two parts: technical verifications and interviews. During the project, 75 vulnerabilities were found in the AWS infrastructure with detailed recommendations on how to mitigate them. The audit included the following architecture layers: * AWS services * Kubernetes clusters and objects * Docker images * Terraform configs
Business continuity plan and disaster recovery (BCP/DR) creation Image

Business continuity plan and disaster recovery (BCP/DR) creation

Pakrutiy conducted a diisaster recover planning.

The goal of the project was to create a detailed business continuity and disaster recovery plans for AWS infrastructure compromise scenarios. For BCP/DR creation, there were used the AWS best practices and the rich experience of the Pakurity team. As a result, the customer received the ready for implementation BCP and DR. Each item of the plan included: preparation

activities required to reduce impact and probability of the threat event, incident eradication activities, forensics activities, restoration and recovery actions. The following AWS services were in scope: * AWS accounts itself * Kubernets clusters * Route53 * Lambda functions * CloudFront * DynamoDB
Smart contract (ICO) security audit Image

Smart contract (ICO) security audit

Pakurity conducted an ICO smart contract security audit.

The project goal was to asses the security of the smart contracts source code which were implementing modified ERC20 token and investor web-dashboard. The Oraclize library was used by the contracts to allow for interaction with external services. The code review was performed using a combination of manual and automated tools and techniques to identify

vulnerabilities within the target environment and exploit them. The contract code was deployed to the custom blockchain testnet and every step was emulated (the time parameters were modified to speedup each ICO stage). The testnet and deployment was arranged with a set of utilities: geth, truffle, ganache and mist. Multiple vulnerabilities were identified and reported to customer: * The wide permission for the developer role, hardcoded in the contract * The potential stale state of the contract, where it could stuck without ability to recover the money deployed to the contract address * The lack of input address length validation, which facilitated attacks which involves input abuse on the smart-contract web-dashboard * Cross-site scripting (XSS) in the investor web-dashboard
OWASP ASVS Compliance Verification Image

OWASP ASVS Compliance Verification

Pakurity conducted an OWASP ASVS certification.

The goal of the project was to verify if the customer’s web application is ASVS 4.0 compliant. The application was tested according to level 2 recommendations from the ASVS 4.0 standard. The project consisted of two phases: pentest and interview. During the interview, the SDLC practices and system architecture were analyzed. During the pentest, the application was verified

according to the selected set of ASVS requirements. As a result, the customer has received a detailed report which included: * the ASVS 4.0 L2 requirements and their verification results (OK, Found, N/A), * detailed recommendations on how to fix vulnerabilities to become ASVS compliant, * appendix with evidences on how each requirement was verified. After fixing identified weaknesses the customer got the ASVS compliance certificate.
Cloud infrastructure security audit Image

Cloud infrastructure security audit

Pakurity conducted a cloud infrastructure security audit.

The project goal was to assess the security level of the customer’s cloud infrastructure. The penetration test was conducted in a gray-box mode, which means that the hacker has limited access to the infrastructure. The governance practices were assessed according to COBIT, ISO/IEC 20000, NIST CSF, and CSA Cloud Controls Matrix. Also, some controls were taken from

the ISO/IEC 27001, to provide the customer with the full picture of their infrastructure security. As a result, the detailed pentest and governance audit reports along with recommendations were provided to the customer. After some time, the retest was conducted to verify if the HIGH-rated vulnerabilities and process weaknesses were fixed. Some of them included: * Public access to storage buckets with confidential data. * Out of date software in Docker images. * Owner rights on the cloud project for the service accounts. * Multiple admin rights in the development team (without MFA as well). * Hardcoded passwords in Kubernetes objects. * Hardcoded cloud API access keys in the source code. * Not applied firewall rules for the No-SQL database which had public IP and password-less interface.
Bank security audit Image

Bank security audit

Pakurity conducted a security audit in the Bank. The goal of the project was to verify if the hacker can penetrate the internal bank network from the outside. The project was conducted in a black-box manner, so access was not provided by the customer. Our pentesters were used the most actual and modern techniques to penetrate the customer’s network.Some security issues which were found: * Detailed error message in the internet

banking application. This bug facilitated remote code execution of the Spring Expression Language (EL) injection. * Remote code execution due the unpatched version of the Spring framework. * Direct object reference for the client account payment details (used to conducted a wire transfer). Though the payment details for the wire are public in their nature, the enumeration allowed to identify all bank clients. * Know your customer (KYC) routine abuse. The phone number of the client was verified by SMS, however not bruteforce protection were implemented, so it was possible to find the right SMS verification code and link the phone number to the customer account. * The use of weak TLS cipher suite, which was a violation of PCI-DSS requirements.
Internal network security testing Image

Internal network security testing

Pakurity delivered an internal network penetration testing. The test goal was to identify how far the user with a standard Active Directory role can penetrate into the network. The project was conducted in a gray-box manner via the virtual machine plugged into the network port inside customer facility. The virtual machine established a backconnect VPN to the pentesting team server. The audit identified multiple issues that lead

to data leakage and access to confidential data. Some of them includes: * ARP spoofing and traffic interception * LLMNR spoofing and traffic interception * Pass the hash attack (aided by ARP/LLMNR spoofing) and access to the Customer's Sharepoint site * AD group policy saved passwords * Vulnerable service with default passwords * Vulnerable ILO interfaces As a result, the customer has received a detailed report with recommendations. In addition, the retest was performed to be sure that all critical vulnerabilities were fixed.
PHP application source code audit Image

PHP application source code audit

Pakurity conducted a PHP application source code audit. The goal of the project was to assess the security level of the application’s source code based on the Laravel framework. The source code was verified by the automated scanners, and false-positive findings were removed during manual verification. In addition a thorough review was conducted of critical application logic source code pieces, controllers, views and models. As

a result, the customer has received a detailed report with recommendations and the training about security coding was conducted for the development and QA teams. Some of identified bugs were: * Hardcoded passwords. * SQL injections the Laravel RAW database queries. * XSS in the views which were displaying user data without proper escaping * Insufficient validation of the OAuth2 requests, which allowed JWT stealing.
REST API penetration testing Image

REST API penetration testing

Pakurity conducted a REST API penetration testing. The project goal was to found security vulnerabilities in the REST API in a web-application. The customer’s RESTful web service was used to serve a Single Page Application (SPA) front-end and iOS/Android mobile applications. The traffic from SPA/mobilei frontends was captured to recover API and their parameters. The SWAGGER API doc was created and confirmed with the Customer

developers to ensure its completeness.The APIdoc was feed to web application scanners to automatically check every parameter. Also, after the automated scanning, the manual test was conducted. As a result, the customer has received a detailed report with recommendations on how to mitigate vulnerabilities found. Some of them includes: * Cross-site scripting (XSS) in the API error message * Unsafe deserialization * XML XEE inclusion and SSRF and arbitrary file read * SQL injection
Log management system operations and security event monitoring Image

Log management system operations and security event monitoring

Pakurity delivered a Log management system operation and security event monitoring service. The goal of the project was to configure the log management solution and conduct security event monitoring in the customer GCP/Kubernetes infrastructure. False positives were filtered out. Regular Red team exercises were analylzed and detection rules were updapted. The log management was based on the Graylog/Logstash/ELK technology

stack. The following sources were connected with the aid of GCP Pub-Sub connectors: * GCP project * Kubernetes * Falco container IDS * Nginx-ingress objects * ModSecurity WAF * Application logs * Compute instance VM
PCI/DSS internal penetration testing Image

PCI/DSS internal penetration testing

Pakurity conducted a PCI-DSS internal pentest The project goal was to verify the Payment Card Industry Data Security Standard (PCI DSS) compliance of the customer’s internal network. The test was conducted in a gray-box manner. Due to the high security level the pentester worked from the customer provided computer with Kali linux installed and restricted access to the Internet. The test included infrastructure testing, layer 2

network attacks, network segmentation testing, internal web-application testing. The methodology included PCI Penetration Testing Guidance requirements. As a result, the customer has received a detailed report with the findings and specification which PCI requirement was violated. Some of the issues that were identified: * The lack of IPv6 firewall on the systems. While many of servers had host firewall with IPv4 rules, the IPv6 rules were not implemented, but IPv6 was enabled on the network interfaces. It was possible to join a wide set of services over IPv6, including NFS share with backups. The backups had an SSH private key, which allowed to penetration one of the servers in CDE. * The JavaEE application did not have a proper file type and file location filtering, which allowed to upload a JSP web-shell and compromise the application server. * The log server used to serve CDE machines, used an Elastic instance to store logs, including commands invoked by the system administrators. * The database passwords were recovered from that logs.
Incident response Image

Incident response

Pakurity conducted an incident response for its customer. The goal of the project was to manage activities after a security breach of customer IT system, conduct forensic research to get the details of the incident, clean network from hackers and assist in lessons learned exercises to prevent further breaches. The initial response included isolation of compromised systems, logs collection, network traffic and netflow

collection. External requests were made to the Internet service provide to obtain additional connectivity details from the customer systems. After forensics analysis and malware reverse engineering the customer got: * Detailed timeline of hackers activity * List of hackers tools and other artifacts with their functionality description * Vulnerabilities exploited by hackers to initially compromise the system * Hackers techniques (e.g. lateral movement) * Detailed remediation plan * Suggestions for the BCP/DR improvements
Windows/Mac program security audit Image

Windows/Mac program security audit

Pakurity conducted Windows/MacOS software security audit. The project goal was to ensure security of the complex application, which included * Windows/MacOS frontends and Azure based backedn. The threat vectors included attacks on the client (e.g. if the software introduces weakness to the client OS) and system back-end security. Only access to the binaries and test accounts were provided. The following vulnerabilities were

identified: * Remote code execution on the client through the out-of date library * Weak filesystem/registry permissions on the client installation * Hardcoded API keys to some back-end components in the client installation * Denial of service on the backend infrastructure through XML bombs
Mobile application security audit Image

Mobile application security audit

The project goal was to asses the security level of the customer’s iOS/Android mobile applications according to the best security standards and recommendations. The OWASP Mobile Application Security Verification Standard (MASVS) standard was used as a basis as well as OWASP Mobile Testing Guide. The first part of the audit was the interview with the developer to found issues in the SDLC part and in the application code. The

second stage included source code analysis, found vulnerabilities reproduction (with the aid of Frida dynamic instrumentation framework, jwt/gdb debuggers for Android, lldb debugger for iOS). As a result, the customer has received a detailed report with the checklist of MASVS requirements and their verification results (OK, Found, N/A) and the detailed recommendations on how to fix them to become MASVS compliant. Some of the identified vulnerabilities included:

 

* Unsafe web-view components use, which allowed Universal XSS

 

* Logging to the system logs of the sensitive data (including API keys and credentials)

* The lack of encryption of stored data

* Broadcast theft in the Android application which allowed to intercept sensitive data

* Unsafe URL handler in iOS which allowed application crash

Reviews

Sort by

Security Audit for Educational Software Company

“Their team is clear and always gives their rationale when marking recommendations.”

Quality: 
5.0
Schedule: 
5.0
Cost: 
5.0
Willing to refer: 
5.0
The Project
 
Less than $10,000
 
Dec. 2018 - Ongoing
Project summary: 

Pakurity assisted an education technology company with security audits, ensuring that the platform complied with international standards for security. They collaborated with the team to address site issues.

The Reviewer
 
1-10 Employees
 
Australia
Belinda Harries
Executive Director, Pivot Professional Learning
 
Verified
The Review
Feedback summary: 

Impressing the internal staff, the team consistently provides professional service while prioritizing quality and accuracy. Their proactivity and ability to meet tight deadlines added value to the effort. Their commitment and dedication promise a continued partnership.

A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.

BACKGROUND

Introduce your business and what you do there.

I’m the executive director and founder of an education technology software provider based in Australia. We work with Australian and international schools. 

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Pakurity?

We have contracts with state governments, so we needed a company to run a security audit that was in alignment with international standards that were prescribed by our clients.

SOLUTION

What was the scope of their involvement?

We gave them access to our platform, and they spent a few weeks running tests on our access and data storage. Then they identified any security holes they found in our system. That came in the form of a detailed written document that outlined all of the findings separately. It included mandatory fixes as well as recommended ones. After they ran the security audit, they worked with our development team to patch up security issues and provide accreditation to showcase that we identified the standards.  

What is the team composition?

I had one main point of contact, but all of their work was signed off by an executive. 

How did you come to work with Pakurity?

I found them on Upwork originally. After working with them for a while, we moved our collaborations off that platform. 

How much have you invested with them?

We’ve spent about $3,000 with them to date. 

What is the status of this engagement?

Every 18 months, we need to get accredited. This is the second time we’ve worked with them in this capacity. While their end of the work takes about a month, we’ve been engaged with them since December 2018. We plan on continuing to use their services in the future.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

They’re very professional, always providing us with a quality service and excellent communication.

How did Pakurity perform from a project management standpoint?

They were very proactive with their tasks and updated us regularly. Their team kept everything on track, so I recommend them without hesitation. Many of those who have taken my recommendations had similar positive experiences as well. 

What did you find most impressive about them?

Their general level of professionalism really stood out. Our past provider cost more but offered us less clarity in communication. Their team is clear and always gives their rationale when marking recommendations. 

Are there any areas they could improve?

I can’t think of anything.

Do you have any advice for potential customers?

I’d hire them— they offer good value for money and a quality job.

5.0
Overall Score
  • 5.0 Scheduling
    ON TIME / DEADLINES
  • 5.0 Cost
    Value / within estimates
  • 5.0 Quality
    Service & deliverables
  • 5.0 NPS
    Willing to refer

Penetration Testing for Information Security Firm

"Knowing that they have the experience to do the job gives us comfort that it is going to meet our requirements."

Quality: 
5.0
Schedule: 
5.0
Cost: 
5.0
Willing to refer: 
5.0
The Project
 
Less than $10,000
 
Jan. - Feb. 2019
Project summary: 

Pakurity was responsible for performing penetration testing to help a security firm meet their compliance obligations for third-party clients. They produced a post-testing report and provided onsite training.

The Reviewer
 
11-50 Employees
 
Malta
Trevor Axiak
Director, Kyte Global
 
Verified
The Review
Feedback summary: 

Pakurity delivered security procedures that met that client's expectations. The team generated a meticulous report that demonstrated their methodological approach. The end-client was pleased by their professionalism and scope of services, so the engagement was seamless and successful.

The client submitted this review online.

BACKGROUND

Please describe your company and your position there.

We are a Information security and compliance company. We conduct IT audits, certifications under PCI DSS and ISO27001 and provide consultancy on Information Security.

OPPORTUNITY / CHALLENGE

For what projects/services did your company hire Pakurity?

As part of compliance obligations our clients need to perform Secure coding training and Penetration testing. We hired Pakurity, specifically Glib Paharenko, to perform onsite training to our client as well as the penetration test and provide a report.

What were your goals for this project?

- Penetration test in accordance with PCI DSS requirements 11.2. - Secure Coding training to a team of developers.

SOLUTION

How did you select this vendor?

We have known Glib for some time and have used him for other projects in the past. We are aware of his knowledge and experience.

Describe the project in detail.

Training had to be delivered onsite to a client based in Malta. It was scheduled in 2 sessions for all developers and IT people within the company. Training was organised in a workshop format. The penetration test followed PCI DSS requirements and involved External testing, internal testing as well as application type of testing.

What was the team composition?

The project was delivered by Glib Paharenko himself.

RESULTS & FEEDBACK

Can you share any outcomes from the project that demonstrate progress or success?

We are qualified security assessors so the project had to be acceptable to us based on PCI DSS requirements and standards. We were happy with the scope and methodology adopted. The report of the pentest was reviewed and showed professionalism. The training was considered a success by the client (end user)

How effective was the workflow between your team and theirs?

Once project scope was communicated, there was little communication required. No issues identified.

What did you find most impressive about this company?

Knowing that they have the experience to do the job gives us comfort that it is going to meet our requirements and to the standard required by PCI DSS.

Are there any areas for improvement?

At the time of the project the team was small but I think that issue has now been resolved.

5.0
Overall Score
  • 5.0 Scheduling
    ON TIME / DEADLINES
  • 5.0 Cost
    Value / within estimates
  • 5.0 Quality
    Service & deliverables
  • 5.0 NPS
    Willing to refer