The process of Corporative Applications audit is planned (as same as any other computing project) in next phases:

• Functional Analysis: A general study about application is done here, acquiring a global vision about functionalities that application offers.
• Technical Analysis: A deeper study about modules that composes such application and how they interact each other (i.e.: distributed objects dispersed in different servers) emphasizing inputs and outputs that could be visibles from Internet.
• Test design: Determination and design of the test that must be done with this specific application.
• Test planning: Phase in which the tests are programmed to executing (i.e.: scripts that exploit buffers overflows in the CGIs that treat input data...).
• Test realization: During this stage, as its name indicate, all designed tests are taken in the client systems, take note about all results and in case of obtaining some flaws the process starts again in design phase to try exploit those.
  

The methodology created by Internet Security Auditors allows offering an exhaustive review on the audited applications covering the following aspects of security:

• Input Validation: Injection of malicious code provoking that when the web server serves this page, the web client executes the malicious code in the client; creation and alteration of SQL sentences; execution of commands of the operating system; execution of commands or observation of information in not allowed directories; and utilization of the null byte that can be used in order to alter the parameters of an URL.
• URLs Canonicalization: Attacks that exploit the way used to store characters with multiple bytes of the codification Unicode or other codifications that allow to conceal actions and attacks that use different possibilities of URLs's codification that the web servers accept.
• Parameter Manipulation: Attacks of modification of the information sent between the client and the web application in the HTTP headers, URLs's requests, form fields and cookies.
• Authentication and Session Management: Exhaustive search of logins and/or passwords. Attacks based on the falsification of credentials or avoiding them by means of the exploitation of dependences between components of these applications or through direct attacks to these components.
• Overflows: Attacks that allow the execution of malicious code in the heap, in the stack of the process, or malevolent format strings.
• Information Leaks: Sorce Code Analysis to locate comments that can help the programmers to debug and increase the process of documentation; review to discover structures or debug information not deleted; discovery of messages and error codes to obtain information of the applications, operating systems, databases, etc.; search for files or applications that could be exploitable or useful in an attack; and private information stored in the cache and history of the web browser.
• Cryptography: Attacks that exploit the use of weak cryptographic algorithms and others based on the capture of ciphered information and its use to have access already be to the key or to the clear text.
• Configurations: Attacks using user or system accounts created by default in the installations or preconfigurations, exploiting published vulnerabilities in some of the components of the platforms at which the application resides and exploitation of misconfigurations or a lack of update of the principal components of the web application.
  

Report:
There is elaborated a detailed report which includes:

• A high level executive summary.
• Detail of all the realized tests specifying its goals and results.
• Results obtained in the different tests that have been done.
• Recommendations for a fast and best solution of the security problems found.
• Security problems classification according to its danger level. This will allow to the company to be able to elaborate an efficient plan to solve them.

Workshop:
Meeting orientated to explaining the results obtained in the audit and advising on the possible solutions that exist for the security problems founds.