Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.
About us
QuillAudits is providing pen-testing services to enhance the security of your blockchain project. We also offer advanced Ethereum, BSC, Tron, Matic (Polygon), Polkadot, Solana smart contracts audit, Blockchain Protocol Security, dApps Audits, and formal verification to ensure your platform's integrity.
Connecting with you - By this time, you must have been added to a closed group with the Pentesting Team. You would be connected with the Project Manager and the Pentesters through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!
It’s great to know that you are concerned about the security of your platform and want to make sure the utmost security of your users' Funds and Data. As we can see from the below Pie Chart the Majority of Hacks are happening due to vulnerabilities in Platform (23.66%) or Smart Contract (44.20%). So, we need to ensure that before coming into the full-fledged production stage it should have performed a security audit, and dApps pen testing and is safe enough for users to keep their money in your platform.
Pentest Process
Types of Vulnerabilities covered during Vulnerability Assessment & Pentesting Process :
- Injection
- Broken Authentication
- Sensitive Data Exposure
- Business Logic Review
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
- Improper Certificate Validation
- Cross-Site Request Forgery (CSRF)
- Unrestricted Upload of File with Dangerous Type
We ensure your Pentesting goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the in-scope domain & repository, we do thorough scrutiny to provide you with the Final Audit Report. Let's dive deep into it and explore more.
Penetration testing methods
a) External testing (Black Box)
External penetration tests target the assets of a company that is visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access to and extract valuable data.
b) Internal testing (Grey Box)
In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
Step 1 - Information Gathering and Threat Modeling
In this step first, we gather documentation from your team like a whitepaper, logic flow diagram, audit scope, etc. Also, we are gathering information using a variety of techniques to gather information on a target. The most common methods are Reconnaissance, Enumeration, and OSINT. The Information gathered could be used for many things such as creating an Attack Tree or digging deeper for additional Information Gathering.
Aims of this step:
- Using OSINT to collect all data publicly
- Understanding the architecture of the application
- Finding & mapping threat entry points
Step 2 - Testing/Discovery
The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
• Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
• Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.
Aims of this step:
- API Security Testing
- Static and Dynamic Testing
- Functional & Business Logic Error Testing
- Focus on issues regarding security, attacks, mathematical errors, logical issues, etc.
What is a Business logic Review?
In this step, the pentester should understand the overall business logic. Typically, a pentester should understand various other components and how to code snippet function in a business and map the logic, business, and data flow of the application. So after that pentester trying broken or non-existent validation of user-supplied data might allow users to make arbitrary changes to application critical values or submit nonsensical input. Bypassing unexpected values into server-side logic, a pentester can potentially induce the application to do something that it isn't supposed to.
Step 3 - Exploitation
In this step, the objective is to use any weaknesses or security loopholes found in the Discovery stage. This is frequently done manually to get rid of false positives. The exploitation phase also involves the exfiltration of data from the target and looking after perseverance.
This step includes:
- Using different tools of Automatic and Manual assessment
- Integrity Assessment
- Documenting Testing Discoveries
- Verifying Security Weaknesses and Vulnerabilities
- Exploiting Security Weaknesses and Vulnerabilities
Step 4 - Initial Pentesting Report
In the end, we would provide you with a comprehensive report, which we call the Initial Audit Report (IAR):
🦋How you can help - You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.
- A Comprehensive vulnerability assessment & pentesting report.
- Encapsulates details of the Pentesting & solutions to the vulnerabilities (if we found any) in the in-scope domain.
- We expect you to resolve the identified bugs & make suitable changes to the code.
Note - Please acknowledge that once the In-Scope details are fixed, we start the Pentest Process. In case, you make any changes to the code in-between the process, we will be able to check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.
Step 5 -Final Audit Report
After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.
So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is. The report would dig into detail about each issue, as well as analysis which would include mapping out steps to mitigate the vulnerability.
🦋How you can help - After getting the Final Audit Report, please notify us whether we can proceed to prepare the final designed draft or if you are going to fix the code again.
This phase includes:
- Review and Document Discoveries
- Prepare a Report which consists of steps to mitigate the vulnerability
Step 6 - Delivery
After getting a green light from the previous step, we send the report to our designers. With their skills, they make a PDF Version of the Audit Report and beautifully showcase everything in it.
Post-Audit-Announcements
As per your requests, we make an Audit Announcement from our social media handles to mark the completion of the Audit.
Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners).
🚧The completion of this step totally depends on the calendar availability of our Marketing Team. Therefore, this step might take some time to complete.
Feedbacks
Your feedback helps us to improve and enhance. It helps us inculcate innovations in our services to improve and serve you better.
Please click here to provide your valuable feedback - Feedback Link
🦋Survey - Kindly provide your valuable inputs by filling out the survey form to aid us in understanding the current DeFi & NFT market better. It would help us to improve upon our methodology for 𝘀𝗺𝗮𝗿𝘁 𝗰𝗼𝗻𝘁𝗿𝗮𝗰𝘁𝘀 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆. Survey Link
Join Our Referral Program: Become a part of our quest for Securing Blockchain and Get Rewarded 🥳
💡Do you know a friend who might be in need of a Smart Contract Audit? 🙋♂️🙋♀️
We have something that you might be super interested in!
Together, we can benefit many DeFi, NFT, and DAO projects by securing them with QuillAudits.
Refer anyone looking for an audit, and get up to 15% on each referral. Click on the link below to get access to exciting offers. 🚀
https://bit.ly/3hqN6ZM
