POLITICA DE COOKIES

PENTEST-ONLINE.COM utiliza cookies técnicas, analíticas, de sesión y de publicidad con la finalidad de prestar un mejor servicio. No obstante, necesitamos su consentimiento explícito para poder utilizarlas. Así mismo puede cambiar la configuración de las cookies u obtener más información aquí .

CAJA NEGRA

Ataque externo realista

Información del producto

Este servicio simula el comportamiento de un atacante externo sin conocimiento previo de tu sistema, replicando un escenario de ataque real. El objetivo es identificar y documentar vulnerabilidades explotables que podrían comprometer la seguridad de tu sitio web o API desde fuera de tu infraestructura.

  1. Simulación avanzada de ataques externos:

    • Emulamos el enfoque de un atacante sin acceso interno, utilizando técnicas de hacking ético avanzadas reconocidas por la industria.
    • Exploramos posibles vectores de ataque, evaluando vulnerabilidades tanto automatizadas como manuales.
  2. Compatibilidad universal:

    • Nuestro análisis es totalmente adaptable a cualquier plataforma o tecnología, incluyendo:
      • Lenguajes de programación: PHP, Java, Python, C#, Node.js, Ruby, entre otros.
      • Frameworks: Django, Laravel, Spring, Express.js, entre otros.
      • CMS: WordPress, Joomla, Drupal, Magento, entre otros.
      • APIs: REST, GraphQL, SOAP.
      • Infraestructuras: Servidores en la nube, entornos híbridos o infraestructura on-premise.
    • No importa cómo esté desarrollado tu sistema; adaptamos las pruebas para obtener los resultados más precisos.
  3. Cobertura exhaustiva del análisis:

    • Identificamos vulnerabilidades críticas y medias, tales como:
      • Inyección SQL (SQLi): Manipulación de bases de datos a través de entradas inseguras.
      • Cross-Site Scripting (XSS): Inyecciones de scripts maliciosos que afectan la seguridad de los usuarios.
      • Errores de autenticación: Fallos en la gestión de credenciales y sesiones.
      • Configuraciones inseguras: Políticas mal implementadas o configuraciones incorrectas del servidor.
      • Exposición de datos sensibles: Endpoints o archivos mal protegidos.
    • Incluimos evaluaciones dinámicas para sistemas que interactúan en tiempo real.
  4. Escenario simulado:

    • Replicamos intentos de intrusión desde la perspectiva de atacantes externos:
      • Ataques automatizados dirigidos a vulnerabilidades comunes.
      • Métodos avanzados manuales para identificar posibles brechas.

Beneficios para tu organización

  1. Identificación de más de 280 vulnerabilidades potenciales:

    • Presentamos un informe exhaustivo con detalles técnicos, impacto de cada vulnerabilidad y pasos recomendados para solucionarlas.
  2. Incremento de la confianza en tu sistema:

    • Al comprender y mitigar las vulnerabilidades externas, reduces significativamente los riesgos de explotación por actores maliciosos.
  3. Protección de tu reputación y datos sensibles:

    • Evita incidentes que puedan generar costos financieros, pérdida de clientes o daño a la imagen de tu empresa.
  4. Cumplimiento normativo:

    • Apoyamos a tu organización a cumplir con estándares de seguridad como ISO 27001, GDPR, PCI DSS, entre otros.
  5. Informe técnico y de gestión:

    • Recibirás un informe en PDF con descripciones claras, evidencias visuales, criticidad de las vulnerabilidades y recomendaciones accionables.

Entrega en 72 Horas

  • Recibirás un análisis completo con un informe optimizado para ser compartido con tu equipo técnico o de gestión, garantizando una resolución rápida de los problemas detectados.



+281 Vulnerabilidades

+281 Vulnerabilidades
NOMBRE
GRAVEDAD
CLASIFICACIONES
OS command injection
High
SQL injection
High
SQL injection (second order)
High
ASP.NET tracing enabled
High
File path traversal
High
XML external entity injection
High
LDAP injection
High
XPath injection
High
XML injection
Medium
ASP.NET debugging enabled
Medium
Broken Access Control
Information
HTTP PUT method is enabled
High
Out-of-band resource load (HTTP)
High
File path manipulation
High
PHP code injection
High
Server-side JavaScript code injection
High
Perl code injection
High
Ruby code injection
High
Python code injection
High
Expression Language injection
High
Unidentified code injection
High
Server-side template injection
High
SSI injection
High
Cross-site scripting (stored)
High
HTTP request smuggling
High
Client-side desync
High
Web cache poisoning
High
HTTP response header injection
High
Cross-site scripting (reflected)
High
Client-side template injection
High
Cross-site scripting (DOM-based)
High
Cross-site scripting (reflected DOM-based)
High
Cross-site scripting (stored DOM-based)
High
Client-side prototype pollution
Information
JavaScript injection (DOM-based)
High
JavaScript injection (reflected DOM-based)
High
JavaScript injection (stored DOM-based)
High
Path-relative style sheet import
Information
Client-side SQL injection (DOM-based)
High
Client-side SQL injection (reflected DOM-based)
High
Client-side SQL injection (stored DOM-based)
High
WebSocket URL poisoning (DOM-based)
High
WebSocket URL poisoning (reflected DOM-based)
High
WebSocket URL poisoning (stored DOM-based)
High
Local file path manipulation (DOM-based)
High
Local file path manipulation (reflected DOM-based)
High
Local file path manipulation (stored DOM-based)
High
Client-side XPath injection (DOM-based)
Low
Client-side XPath injection (reflected DOM-based)
Low
Client-side XPath injection (stored DOM-based)
Low
Client-side JSON injection (DOM-based)
Low
Client-side JSON injection (reflected DOM-based)
Low
Client-side JSON injection (stored DOM-based)
Low
Flash cross-domain policy
High
Silverlight cross-domain policy
High
Content security policy: allowlisted script resources
Information
Content security policy: allows untrusted script execution
Information
Content security policy: allows untrusted style execution
Information
Content security policy: malformed syntax
Information
Content security policy: allows clickjacking
Information
Content security policy: allows form hijacking
Information
Content security policy: not enforced
Information
GraphQL endpoint found
Information
GraphQL endpoint discovered
Information
GraphQL introspection enabled
Low
GraphQL suggestions enabled
Low
GraphQL content type not validated
Low
Cross-origin resource sharing
Information
Cross-origin resource sharing: arbitrary origin trusted
High
Cross-origin resource sharing: unencrypted origin trusted
Low
Cross-origin resource sharing: all subdomains trusted
Low
Web cache deception
Medium
Cross-site request forgery
Medium
SMTP header injection
Medium
JWT signature not verified
High
JWT none algorithm supported
High
JWT self-signed JWK header supported
High
JWT weak HMAC secret
High
JWT arbitrary jku header supported
High
JWT arbitrary x5u header supported
High
Cleartext submission of password
High
External service interaction (DNS)
Information
External service interaction (HTTP)
High
External service interaction (SMTP)
Information
Referer-dependent response
Information
Spoofable client IP address
Information
User agent-dependent response
Information
Password returned in later response
Medium
Password submitted using GET method
Low
Password returned in URL query string
Low
SQL statement in request parameter
Medium
Cross-domain POST
Information
ASP.NET ViewState without MAC enabled
High
XML entity expansion
Medium
Long redirection response
Information
Serialized object in HTTP message
High
Duplicate cookies set
Information
Input returned in response (stored)
Information
Input returned in response (reflected)
Information
Suspicious input transformation (reflected)
Information
Suspicious input transformation (stored)
Information
Request URL override
Information
Vulnerable JavaScript dependency
Low
Open redirection (reflected)
Low
Open redirection (stored)
Medium
Open redirection (DOM-based)
Low
Open redirection (reflected DOM-based)
Low
Open redirection (stored DOM-based)
Medium
TLS cookie without secure flag set
Medium
Cookie scoped to parent domain
Low
Cross-domain Referer leakage
Information
Cross-domain script include
Information
Cookie without HttpOnly flag set
Low
Session token in URL
Medium
Password field with autocomplete enabled
Low
Password value set in cookie
Medium
File upload functionality
Information
Frameable response (potential Clickjacking)
Information
Browser cross-site scripting filter disabled
Information
HTTP TRACE method is enabled
Information
Cookie manipulation (DOM-based)
Low
Cookie manipulation (reflected DOM-based)
Low
Cookie manipulation (stored DOM-based)
Low
Ajax request header manipulation (DOM-based)
Low
Ajax request header manipulation (reflected DOM-based)
Low
Ajax request header manipulation (stored DOM-based)
Low
Denial of service (DOM-based)
Information
Denial of service (reflected DOM-based)
Information
Denial of service (stored DOM-based)
Low
HTML5 web message manipulation (DOM-based)
Information
HTML5 web message manipulation (reflected DOM-based)
Information
HTML5 web message manipulation (stored DOM-based)
Information
HTML5 storage manipulation (DOM-based)
Information
HTML5 storage manipulation (reflected DOM-based)
Information
HTML5 storage manipulation (stored DOM-based)
Information
Link manipulation (DOM-based)
Low
Link manipulation (reflected DOM-based)
Low
Link manipulation (stored DOM-based)
Low
Link manipulation (reflected)
Information
Link manipulation (stored)
Information
Document domain manipulation (DOM-based)
Medium
Document domain manipulation (reflected DOM-based)
Medium
Document domain manipulation (stored DOM-based)
Medium
DOM data manipulation (DOM-based)
Information
DOM data manipulation (reflected DOM-based)
Information
DOM data manipulation (stored DOM-based)
Information
CSS injection (reflected)
Medium
CSS injection (stored)
Medium
Client-side HTTP parameter pollution (reflected)
Low
Client-side HTTP parameter pollution (stored)
Low
Form action hijacking (reflected)
Medium
Form action hijacking (stored)
Medium
Database connection string disclosed
Medium
Source code disclosure
Low
Backup file
Information
Directory listing
Information
Email addresses disclosed
Information
Private IP addresses disclosed
Information
Social security numbers disclosed
Information
Credit card numbers disclosed
Information
Private key disclosed
Information
Robots.txt file
Information
Json Web Key Set disclosed
Information
JWT private key disclosed
High
Cacheable HTTPS response
Information
Base64-encoded data in parameter
Information
Multiple content types specified
Information
HTML does not specify charset
Information
HTML uses unrecognized charset
Information
Content type incorrectly stated
Low
Content type is not specified
Information
TLS certificate
Medium
Unencrypted communications
Low
Strict transport security not enforced
Low
Mixed content
Information
Hidden HTTP 2
Information
Extension generated issue
Information
BCheck generated issue
Information

Informe

Informe de ejemplo

Proceso

El proceso

CAJA NEGRA
PENETRATION
TESTING

Todo incluido
299€
Enviado correctamente.

Gracias por confiar en Q2BStudio