Adcy.io – VAPT Pre-Engagement Questionnaire Name of Organization: *Website / Application Testing URL: *eg : https://www.myapp.com/Email *EmailConfirm EmailPlease enter your email, so we can follow up with you.Will this be a white box test or a black box test? *White BoxBlack BoxOtherWhite Box can be best described as a test where specific information has been provided, in order to focus on the effort. Black Box can be best described as a test where no information is provided by the client and the approach is left entirely to the penetration tester (analyst) to termine a means for exploitation. What are the objectives?Map out vulnerabilitiesDemonstrate that the vulnerabilities existTest the Incidence ResponseActual exploitation of a vulnerability in a network, system, or application. Obtain privileged access, exploit buffer overflows, SQL injection attacks, etc. This level of test would carry out the exploitation of a weakness and can impact system availabilityAll of the above.At what time do you want these tests to be performed?During business hoursAfter business hoursWeekend hoursDuring system maintenance window(Kindly mention the preferred dates also)multiple datesone or multiple dates or days.Are the machines to be tested a part of the production environment?YesNoIf the application is hosted inside internal network, we may need a VPN connection or a proxy to access the application. Which method will you provide?VPN ConnetionProxy AccessHow many web applications are being assessed?Number of subdomains to be tested (If any).URLs for each domains/subdomains.What is the website development platform? *Is the web application internet facing?YesNoAre Rich Internet Applications (RIA) used in the application? E.g. Flash, Silverlight, etc.Is payment gateway integrated with the application? *YesNoHow many? *Are web services integrated with the application?YesNoHow many?How many authorization levels are there? *How many dynamic pages/Input Pages does the application has? (approx.) *Which database used?Any special functionality in the application?Number of User Roles in the application?Eg: Normal Users, Housing Society etcHow many static pages does the application has? (approx.)Does it require conducting a Network test on the machine where the Web Application is hosted? *YesNoNumber of IP Addresses / Domains / Machines to test.If target is Domain name, do you need to test subdomainsYesNoHow many subdomains.Is there any IDS/IPS/Firewall/Load Balancers?In the case, when a system is penetrated, how should the testing team proceed?Perform a local vulnerability assessment on the compromised machine?Attempt to gain the highest privileges (root on Unix machines, SYSTEM or Administrator on Windows machines) on the compromised machine?Third ChoPerform no, minimal, dictionary, or exhaustive password attacks against local password hashes obtained (for example, /etc/shadow on Unix machines)?iceNameSubmit
