Securing Web Applications with Proven Expertise
Securing the Backbone of Your Online Presence
Elves Core Cyber Security (formerly Elves Core) conducts penetration testing for web applications that operate via internet browsers.
Our company has been a leading presence in web application penetration testing, continuously identifying vulnerabilities in various programming languages and environments. We contribute to data protection across a wide range of systems, from large-scale AWS environments to legacy applications. Additionally, we have discovered and publicly disclosed dozens of zero-day vulnerabilities, with our research being featured in news articles, proving our standing as top-tier security testers.
Traditional vulnerability assessments and penetration tests often cost between 5 million to 10 million yen, making them difficult to implement.
Our service focuses on vulnerability assessments and report generation, allowing us to reduce costs. By minimizing time spent on preliminary meetings and report writing—key cost factors—we achieve affordability.
Lower costs do not mean lower test quality. By focusing on essential testing criteria, our service is widely adopted and highly rated by companies ranging from small businesses to large enterprises.
In addition to cost savings, our streamlined approach enables rapid testing completion, allowing for quick security assessments.
Why choose our penetration testing?
Focused Reports, Lower Costs
By streamlining the reporting process, we eliminate unnecessary preliminary meetings and excessive report creation, significantly reducing costs.
Global White Hat Expertise
Our highly skilled engineers, active worldwide, utilize the latest cybersecurity technologies and techniques to keep your security up to date at all times.
Start Testing in Five Days
After confirming your application and placing the order, we can begin penetration testing in as little as five days, with no complicated procedures, ensuring fast and efficient security assessments.
Comprehensive Web Penetration Testing Method
Define the Testing Scope
Before evaluating a web application, we work closely with our clients to clearly define the testing scope. This stage emphasizes thorough communication to ensure mutual understanding and establish a solid foundation for assessment.
- Clearly define the testing scope with the client before starting.
- Specify pages/subdomains to be excluded from evaluation.
- Confirm the testing period and time frames.
Information Gathering
Our engineers utilize various tools and techniques, including OSINT (Open Source Intelligence) and OWASP Top 10 methodologies, to gather as much information as possible about the target system. The collected data helps in understanding the client's operational environment and contributes to a more accurate risk assessment. Potential intelligence sources include:
- Leaked PDF, DOCX, XLSX files from Google search results.
- Previous data breaches and leaked authentication credentials.
- Posts on forums made by application developers.
- Publicly available robots.txt files.
Enumeration
At this stage, we use a combination of automated scripts and tools to gather more advanced information. Our engineers meticulously investigate potential attack vectors, collecting critical data to be utilized in the next testing phases.
- Enumeration of directories and subdomains.
- Identifying misconfigurations in cloud services.
- Linking known vulnerabilities to applications and associated services.
Exploitation & Intrusion
During the vulnerability verification phase, we attempt actual attacks by exploiting identified attack paths. However, we conduct these tests with extreme caution to minimize any impact on web applications and data. The primary attack techniques used in this stage include:
- SQL Injection, Cross-Site Scripting (XSS), and other vulnerability exploits.
- Attempting authentication bypass using leaked credentials and brute-force tools.
- Monitoring web application behavior to detect unsafe protocols and functions.
Report Generation
Report generation marks the final stage of the assessment process. Our analysts compile all collected data into a comprehensive report detailing the investigation results.
The report begins with an overview of the overall risk landscape, highlighting the strengths and weaknesses of the application's security and logic. Additionally, it includes strategic recommendations to assist management in making informed decisions regarding application security.
For each vulnerability, the report provides a detailed technical analysis, including test processes and remediation steps for IT teams, ensuring an efficient resolution process. ElvesCore ensures that all reports are clear and easy to understand.
Post-Remediation Testing
Upon client request, we conduct re-evaluations after vulnerabilities have been remediated (post-patch testing). This process verifies that the fixes have been properly implemented and that the identified risks have been eliminated. Additionally, we update past assessment reports to reflect the improved security posture of the application.
Enhancing Web Application Security in Compliance with OWASP Top 10
Our company prioritizes web application security and adheres to the OWASP Top 10 guidelines. The Open Web Application Security Project (OWASP) Top 10 is a globally recognized standard that identifies and mitigates the most critical security risks in web applications. Our expert team ensures that your web applications are protected from common vulnerabilities, maintaining a robust and secure system.
Injection Attacks
Protects your data from vulnerabilities such as SQL, NoSQL, OS, and LDAP injection attacks.
Security Misconfigurations
Reviews security settings and fixes misconfigurations to eliminate risks caused by improper configurations.
Weak Authentication Mechanisms
Establishes strong authentication mechanisms to safeguard user identities and credentials.
Cross-Site Scripting (XSS)
Prevents session hijacking and website defacement caused by malicious scripts.
Sensitive Data Exposure Prevention
Implements encryption and secure storage methods to protect sensitive information.
Insecure Deserialization
Mitigates risks associated with deserialization vulnerabilities that could be exploited by attackers.
XML External Entities (XXE) Vulnerabilities
Reduces risks from malicious XML input that could compromise security.
Use of Components with Known Vulnerabilities
Ensures third-party components are regularly updated to maintain security.
Broken Access Control
Implements proper access controls to prevent unauthorized access to systems and data.
Insufficient Logging and Monitoring
Establishes comprehensive logging and monitoring to quickly detect and respond to security incidents.
Penetration Testing
Our highly skilled team of white-hat hackers conducts detailed and thorough assessments of your applications, servers, and networks. We identify vulnerabilities and potential data leaks, analyze the root causes of security issues, and provide a comprehensive report with actionable improvement measures.
Recommended for Customers Who:
Want to identify the root causes of vulnerabilities
Want detailed insights into specific remediation strategies
Have conducted a security assessment but are not satisfied with the results
Starting from ¥600,000
14 days or more
Purpose : Diagnose the presence of personal data leaks and vulnerabilities. If issues are found, conduct a thorough root cause analysis.
Research environment : Production environment possible
Testing method : Production environment possible
Result : Submit a report
*The above pricing is the base rate and may vary depending on the number of pages or server requirements. For a detailed quote, please feel free to contact us.
Test Content
| Diagnosis Scope | WEB application, Mobile APP (iOS/Android), System software, Network |
|---|---|
| Diagnosis Tools | Burp Suite, Acunetix, Nmap, Netsparker, Zed Attack Proxy, Metasploit, Kali Linux, w3af |
| Diagnosis Items | Authentication security diagnosis, Broken object-level authentication diagnosis, Broken authentication diagnosis, Broken object property-level authentication diagnosis, Unrestricted resource consumption diagnosis, Broken weak scope authentication diagnosis, Unrestricted access in cross-business flow diagnosis, Server-side request forgery diagnosis, Security misconfiguration diagnosis, Proper session management diagnosis, Insecure API usage diagnosis, Advanced penetration diagnosis, Scenario-based diagnosis, Comprehensive reporting |
| Diagnosis Details | Authentication security test, Object-level authorization bypass, Authentication bypass, Unrestricted resource usage, Attack scenario creation, APT (Advanced Persistent Threat) simulation, CI/CD security check, Red Team participation, Comprehensive report creation |
If you have any questions or inquiries, feel free to contact us.
Protect your services with penetration testing by white hat hackers