Sayfer Logo
Contact Sales

OWASP WSTG v4.2 Penetration Test Certification – Payment Platform

Penetration Test Certification

A Payment Platform contacted Sayfer Security to perform a full penetration test on the Payment Platform’s website and the server that communicates with it in June 2021.

Before assessing the system, we held a kickoff meeting with Payment Platform’s technical team and received an overview of the system and the goals for this assessment. We also perform an extensive risk assessment of the platform

Over the testing period of 4 weeks, the full OWASP WSTG v4.2 test guide was used to perform the tests, we discovered 5 high-risk vulnerabilities as well as 3 low-risk vulnerabilities.

After the Payment Platform implemented their fixes for the findings presented by Sayfer, we conducted an additional iteration to validate that the findings were fixed successfully. This is part of a healthy security process, which validates that the vulnerabilities were patched correctly.

We found that all vulnerabilities found in our initial report were fixed during our second iteration and Payment Platform is up to OWASP’s WSTG v4.2 comprehensive test guide with no known vulnerabilities.

Approach

Introduction

The security assessment carried out by Sayfer targets the Payment Platform’s website and the server that communicates with it. Particularly, the assessment displays the security posture review for the application and its surrounding infrastructure and process implementations.

This review was commissioned by the Payment Platform, and the assessment was carried out in collaboration with Sayfer’s team.

The project life cycle:

01

Scope Overview

02

Technical Overview

03

Scope Validation

04

Threat Model

05

Security Evaluation

06

Security Assessment

Security Evaluation Methodology

Sayfer uses OWASP WSTG as our technical standard when reviewing web applications.
After gaining a thorough understanding of the system we decided which OWASP tests are
required to evaluate the system.

Scope Validation

Before starting looking for security vulnerabilities we made sure the scope defined to us by the client was technically logical.

it is a common mistake to forget an old server or account connected to the internet with permissions to access or control the system audited under the defined scope.

By performing the scope validation we made sure that there are no unknown risks to the tested system.

About Sayfer

Sayfer is a leading consultant and software solutions company. We specialize in making organizations safer with ad-hoc solutions that close the gaps common security products fail to reach.

By being professional but lean and open to customer desires, we are able to provide our clients with fast and valuable solutions that prevent security breaches.

Sayfer specializes in offensive defense. By leveraging approaches that imitate the attacker’s behavior, like reverse-engineering and vulnerability research, we are able to find novel security breaches in our clients’ products and prevent the real bad guys from threatening our clients.

We are available at [email protected]
If you want to encrypt your message please use our public PGP key:
https://sayfer.io/3D4A560F984C41BE.asc
Key ID: 3D4A560F984C41BE

Website: https://sayfer.io
Public email: [email protected]
Phone: +972-559139416

Contact us

Keep In Touch

Phone
+972-559139416
Location
Tel Aviv, Israel
Email
[email protected]
Messengers:
Please feel free to contact us, we will be happy to respond!

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    Skip to content