Functional Security Testing
Remote with 20% travel
6+ months contract

•    Input validation bypass – Client side validation routines and bounds-checking restrictions are removed to ensure controls are implemented on all application parameters sent to the server.
•    SQL injection – Specially crafted SQL commands are submitted in input fields to validate input controls are in place to properly protect database data.
•    Cross-site scripting – Active content is submitted to the application in an attempt to cause a user's web browser to execute unauthorized and unfiltered code. This test is meant to validate user input controls.
•    Parameter tampering - Query strings, POST parameters, and hidden fields are modified in an attempt to gain unauthorized access to user data or application functionality.
•    Cookie poisoning – Data sent in cookies is modified in order to test application response to receiving unexpected cookie values.
•    Session hijacking – Client attempts to take over a session established by another user to assume the privileges of that user.
•    User privilege escalation – Client attempts to gain unauthorized access to administrator or other users’ privileges.
•    Credential manipulation – Client modifies identification and authorization credentials in an attempt to gain unauthorized access to other users’ data and application functionality.
•    Forceful browsing – Client enumerates files located on a web server in an attempt to access files and user data not explicitly shown to the user within the application interface.
•    Backdoors and debug options – Many applications contain code left by developers for debugging purposes. Debugging code typically runs with a higher level of access, making it a target for potential exploitation. Application developers may leave backdoors in their code.  Client Business will identify these options that could potentially allow an intruder to gain additional levels of access.
•    Configuration subversion – Improperly configured web servers and application servers are common attack vectors.  Client assesses the software features, as well as the application and server configuration for poor configurations.

Tools

•    HP Software (Formally SPI Dynamics) WebInspect
•    Nessus (Infrastructure Testing)
•    Tamper Data
•    BurpSuite Pro



Regards,
________________________________________
Vikas Kanoongo
Recruitment | Sales

IdeaReboot
9055 SW 73rd CT, Unit 1409
Miami, Florida 33156 United States

vkanoongo at ideareboot dot com | Work: 315.683.3001 | Fax: 305.397.2534