Our services

AXESS Security specializes in checking consumer-directed websites, applications and mobile apps for security issues that would allow a malicious attacker to exploit the site or app in any unintended way.

Typical issues that are checked

  •   Test for general functionality
    • Does the site work as intended?
  • Test for general security related design parameters
    • Are all parameters sent to the server sanitized to prevent SQL-injection?
    • Is the user authenticated via a session and is the session-id entropic (“random”) enough?
  •  Test for possible manipulation/circumvention of the registration/age-check
    • Is protected content accessible without proper credentials as a registered user?
    • Can the registration-mechanism be manipulated?
    • Can a user register while entering an age below the required minimum age?
  •   Tests for exposure of or access to critical personal data
    • Is it possible to read other users personal data (email-addresses, names etc.)?
    • Is it possible to change other users personal data?
  •  Tests for exposure of non-critical but non-public data (directory listings etc.)
    • Is it possible to access directory listings in order to gain knowledge of files not accessible via the site?
    • Do error-messages reveal non-public information about the underlying technology of the site?
  • Tests for repeated functionality / possible automation of execution of functionality
    • Can the registration mechanism be executed unlimited times?
    • Can the “Lost your Password?” function be executed unlimited times?
    • Can the “Invite a friend” function be executed unlimited times?
    • Can execution of above or other relevant functions be automated?
  • File uploads
    If the site offers the possibility to upload files (for example pictures or scans of documents) we check for the following issues for each individual file-upload mechanism that is offered.
    • Possibility to upload executable files (for example aspx-pages) and execute these
    • Possibility to store and make available unwanted content via the site (for example uploading pictures and linking to them before they are moderated ~ “using the site as a file-exchange”)
    • Possibility to access other users uploaded data that should not be accessible or is not yet “moderated”
  • Games
    If the site contains game-mechanisms the following checks are made for each of the games. Special scrutiny is applied to games where winning prices is directly determined or influenced by the users “score”.
    • Is the general functionality of the game mechanism working as intended?
    • Is it possible to cheat?
    • Is it possible to play / post game results as another user?
  • Forums/Message Boards
    Forums/community functions are checked for the following exploits.
    • Are nicknames unique?
    • Is is possible to post content as another user?
    • Is content accessible before it has been “moderated”?
    • Can posting be automated? / Is “spamming” possible ?
  • Other active site mechanisms
    Any other active site mechanisms (meaning parts of the site that allow a user to send data to the server where it is stored or processed in any other way) have to be checked individually depending on their functionality.
  • Additional automated scan of the server via specialized tools
    While most of our tests are a manual process, we also provide checks via automated security scanners that check the server-software for more than 25,000 known exploits. These produce a comprehensive report that might help to identify possible security issues in the used infrastructure.

Services

News

Crowdfunding site Patreon hacked - data leaked

Maker-funding site Patreon was hacked last week resulting in the dump of gigabytes of code and user data. Fortunately, user passwords were encrypted using bcrypt which suggests they are mostly safe.

more

Hacking Team has been Hacked

IT infrastructure of cyberweapons arms manufacturer Hacking Team has been compromised, 400 GB of internal company data have been posted. See more

more

Russian gang amasses over a billion internet accounts

A Russian crime ring has amassed the largest known collection of stolen Internet credentials.

more