cybersecurity
Cybersecurity is the practice of protecting computer systems and networks from unauthorized access, use, disclosure, disruption, modification, or destruction. 1 In today’s increasingly interconnected world, cybersecurity has become critical for individuals, businesses, and governments alike.
Web Application Penetration Testing
Penetration Testing is the practice of testing a computer system, a network application, either web application or software application, to find security vulnerabilities that an attacker could use to exploit and gain authorized access to a system or an application. The main objective of a Penetration Test is to identify security weaknesses before attackers can identify them and exploit them.
API Penetration Testing
API (Application Programming Interface) is a computing interface that enables communication and data exchange between two distinct software systems. It defines the methods and data formats applications can use to request and exchange information, enabling them to work together seamlessly.
Mobile Penetration Testing
Mobile apps are the in things in the software world. With the rapid increase in the number of smart mobile phones all over the world. There would be a corresponding growth in the number of mobile apps.
The latest and advanced innovations in mobile phones have led to tasks becoming easier and faster. However, there is no debate on how difficult it can be to maintain proper security of these problem-solving apps
Web Application Penetration
Web Application Penetration Testing (Web App Pentesting) is a security assessment process used to identify vulnerabilities in web applications before attackers can exploit them. It involves simulating real-world attacks to evaluate the security of web applications, APIs, and associated infrastructure.
​
An HTTP exploit is directory traversal, also known as path traversal. In order to access data stored outside the server’s root directory, it takes advantage of a security flaw in a web server.
Attackers are sometimes also able to run commands on the targeted server after a successful directory traversal attempt allows them to read restricted files.
A directory traversal attack often takes advantage of web browsers. This implies that every service that accepts unverified input data from web browsers is open to attack. Threat actors frequently search through a directory tree to find routes to prohibited files on web servers before launching this assault.
SQL Injection
​
SQL Injection (SQLi) is one of the most critical web vulnerabilities because it allows attackers to manipulate a web application's database by injecting malicious SQL queries.
It is considered a high-severity vulnerability due to its potential to expose sensitive data, bypass authentication, and even take full control of a database.
Cross-Site Scripting (XSS)
​
Cross-Site Scripting (XSS) is a type of web security vulnerability that allows attackers to inject malicious scripts (usually JavaScript) into web pages viewed by other users.
These scripts execute in the victim's browser, leading to data theft, session hijacking, or even full account takeovers.
LFI (Local File Inclusion)
​
The method of including files that are already locally present on the server (also referred to as Local File Inclusion) involves leveraging susceptible inclusion mechanisms implemented in the web application.
The path to the file that needs to be included is received as input by a page, and if this input is not properly validated or sanitized, characters such as dot-dot-slash (for directory traversal) can be injected and malicious activities can be performed.
XXE Injection (XML External Entity Attack)
​​
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access
Access Control Vulnerabilities (IDOR)
Access Control is about managing who can do what within an application. It ensures that users can only access resources or perform actions based on their permissions. Imagine a social media platform where users can view their own profile, but not modify someone else’s profile or view private data.
As one of the top risks identified by the OWASP (Open Web Application Security Project) in their 2021 list, broken access control is a critical security flaws that every developer should understand.
Business Logic Vulnerabilities
Business logic vulnerabilities stem from inadequacies in how software systems manage and enforce business rules and processes. Unlike traditional security vulnerabilities that involve exploiting flaws in software code or configurations, business logic vulnerabilities exploit gaps or inconsistencies in the logic of an application’s workflow.
These vulnerabilities, arising from flaws in the design and implementation of a system’s logic.
API Penetration Testing
API Penetration Testing is a security assessment that evaluates the security of an Application Programming Interface (API) by identifying vulnerabilities that attackers could exploit. Since APIs often handle sensitive data and facilitate communication between applications, securing them is critical.
Penetration testing akan melakukan simulasi cyber attack untuk mencari kelemahan sistem khususnya dalam hal security. Contoh kelemahan sistem yang dapat terjadi pada sumbang.in yaitu orang luar yang dapat mengubah status transaksi pengguna. Hal ini sangat tidak kita inginkan, oleh karena itu kami mengatur API untuk selalu meminta autentikasi dari pengirim request
TOP API VULNERABILITIES
i) Broken Object Level Authorization - BOLA
ii) Broken Functional Level Authorization - BFLA
iii) Security Misconfiguration
iv) Code Injection
v) Broken User Authentication
vi) Excessive Data Exposure
vii) Improper Assets Management
viii) Insufficient logging and Monitoring
Restful API
​
A RESTful API is a standard used in designing APIs for web applications (web services) for managing resources.
It focuses on system resources (text files, images, audio, video, or dynamic data), and these resource states are formatted and transferred via HTTP.
GraphQl API
​
​Continuing our series for the London Ruby Unconference 2017, in this post Sam Davies talks a bit about his topic for the event!
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.
SoAP API
​
Simple Object Access Protocol (SOAP) is a message specification for exchanging information between systems and applications. When it comes to application programming interfaces (APIs), a SOAP API is developed in a more structured and formalized way
Web Socket API
​
The WebSocket API is the next generation method of asynchronous communication from client to server.
Communication takes place over single TCP socket using the ws (unsecure) or wss (secure) protocol and can be used by any client or server application.
WebSocket is currently being standardized by the W3C.
What’s great about the WebSocket API that server and client can push messages to each other at any given time. AJAX technology was a clever usage of a feature not designed to be used the way it is today. WebSocket was created for the specific purpose of bi-direction message pushing.
Mobile Penetration Testing
Mobile Penetration Testing is the process of evaluating the security of mobile applications and devices (Android & iOS) to identify vulnerabilities that attackers could exploit.
This type of testing ensures that mobile apps and the underlying infrastructure are secure against threats like data leakage, insecure storage, weak authentication, and network attacks.
Key Aspects of Mobile Penetration Testing
Assessing the Mobile Application:
Mobile apps can have vulnerabilities in their code, API interactions, or permissions. The testing process includes:
Static Analysis – Reviewing the app’s source code or decompiled code for security flaws.
Dynamic Analysis – Running the app in a test environment to detect runtime vulnerabilities.
Reverse Engineering – Decompiling the application to analyze logic and find hardcoded secrets (e.g., API keys, passwords).
Network Communication Testing:
Intercepting app traffic using tools like Burp Suite or MITM Proxy to check for unencrypted or weakly encrypted data transmission.
Testing against Man-in-the-Middle (MITM) attacks.
Ensuring the use of SSL/TLS for secure data communication.
Authentication & Authorization Testing:
Checking for weak or missing authentication mechanisms.
Testing biometric authentication bypass (fingerprint, face recognition).
Exploiting insecure session management.
Data Storage Security:
Examining whether sensitive data (tokens, passwords) is securely stored.
Checking for insecure storage in SQLite databases, Shared Preferences, Keychain (iOS), and External Storage.
Testing for SQL Injection (SQLi) and Local File Inclusion (LFI).
API Security Testing:
Identifying broken authentication or weak API endpoints.
Testing for IDOR (Insecure Direct Object References) attacks.
Checking for JWT (JSON Web Token) security flaws.
Device & OS-Level Security Testing:
Checking for root/jailbreak detection bypass.
Testing for clipboard data leaks.
Verifying secure app permissions.
Popular Tools for Mobile Penetration Testing
Burp Suite – Intercepting and analyzing HTTP/HTTPS traffic.
MobSF (Mobile Security Framework) – Static and dynamic security testing of Android/iOS apps.
Frida – Dynamic instrumentation toolkit for bypassing security mechanisms.
Drozer – Android security testing framework.
adb (Android Debug Bridge) – Debugging and accessing Android devices.
Objection – Runtime mobile security assessment tool.
Why is Mobile Penetration Testing Important?
With the increasing use of mobile apps, attackers constantly find new ways to exploit security flaws. Mobile penetration testing helps:
✅ Prevent data breaches and financial fraud.
✅ Protect user privacy and sensitive information.
✅ Ensure compliance with GDPR, PCI-DSS, HIPAA regulations.
✅ Strengthen app security before deployment.