Written, formal approval required before any security testing can legally begin. It defines the specific systems that can be tested.
Before testing your API, NYOXA LABS requires a signed Rules of Engagement document containing authorization.
The exact boundaries of a security assessment, detailing which IP addresses, domains, APIs, and actions are permitted for testing, and which are strictly off-limits.
The scope for the test included 'api.example.com' but explicitly excluded the third-party payment gateway.
A document outlining the conditions under which a penetration test will be conducted, including testing windows, communication protocols, and emergency contacts.
The RoE specified that testing could only occur between 9 PM and 5 AM EST to minimize impact on real users.
Screenshots, network requests, responses, and behavioral observations collected during a test to definitively prove a vulnerability exists.
The final report included evidence showing the raw HTTP request used to bypass the login screen.
The process of fixing a vulnerability or implementing a security control to reduce the identified risk to an acceptable level.
The recommended remediation for the SQL injection was to use prepared statements in all database queries.
A follow-up validation step performed after a client has applied fixes, aimed at confirming whether the vulnerabilities were successfully resolved.
After the engineering team patched the servers, NYOXA LABS performed retesting and confirmed the critical findings were closed.
A simulated cyberattack against your computer system to check for exploitable vulnerabilities, using the same tools and techniques as real attackers.
The penetration testing exercise revealed that an attacker could chain three minor flaws together to gain full admin access.
The automated process of proactively identifying network, application, and security vulnerabilities without necessarily attempting to exploit them.
Vulnerability scanning found outdated software, but a manual pentest was needed to prove the data could actually be stolen.
The process of verifying the identity of a user, device, or system. It answers the question: 'Are you who you say you are?'
Requiring a password and a code sent to a mobile device (MFA) is a strong form of authentication.
The process of determining what an authenticated user or system is allowed to do. It answers the question: 'Are you allowed to do this?'
The user successfully logged in (Authentication), but the system denied them access to the billing dashboard (Authorization).
The security concept of giving a user account or process only those privileges which are essential to perform its intended function.
Following the principle of least privilege, the marketing team's database credentials only allow read access, not write access.
An approach to cybersecurity in which a series of defensive mechanisms are layered to protect valuable data and information.
Using a firewall, strong passwords, MFA, and encrypting the database at rest are examples of defense in depth.
The process of converting readable data into an unreadable format using an algorithm and a key, preventing unauthorized access during storage or transit.
TLS encryption ensures that credit card numbers sent from the browser to the server cannot be intercepted by attackers on the network.
The total sum of vulnerabilities, pathways, or methods that an attacker can use to enter a system or extract data.
Closing unused network ports and disabling old subdomains significantly reduced the company's external attack surface.
A security failure where users can act outside of their intended permissions, leading to unauthorized information disclosure, modification, or destruction.
Broken access control allowed a standard user to view the private settings page of an administrator.
A specific type of broken access control where an application uses client-provided input to access objects directly without proper authorization checks.
By changing the URL from `user_id=12` to `user_id=13`, the attacker exploited an IDOR to view another customer's invoice.
A vulnerability where an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to execute malicious scripts in the victim's browser.
An attacker exploited an XSS flaw by posting a malicious script in a blog comment, which then stole the session cookies of anyone who read the post.
An injection attack that makes it possible to execute malicious SQL statements, allowing an attacker to view, modify, or delete data in a database.
Using SQL injection on the login page, the attacker bypassed authentication by forcing the database to evaluate a query as logically true.
The psychological manipulation of people into performing actions or divulging confidential information.
The attacker used social engineering by calling the helpdesk pretending to be the CEO in order to get a password reset.
A type of social engineering attack often used to steal user data, including login credentials and credit card numbers, by masquerading as a trusted entity via email or text.
The employee received a phishing email that looked exactly like a Google login prompt, tricking them into entering their password.
A previously unknown vulnerability in a software or system that attackers can exploit before the software vendor has created a patch.
The firewall was compromised using a zero-day exploit, meaning the IT team had no way of patching it beforehand.
Online • NYOXA LABS
Powered by NYOXA LABS AI • May make mistakes
