Sales

Walk-through: A Journey With Us to Secure Your Hyperledger Fabric Project

QuillAudits WhiteLabel Partnership Program

Walk-through: A Journey With Us to Secure Your Sui Smart Contract

Walk-through: A Journey With Us to Secure Your Polkadot Smart Contract

Walk-through: A Journey With Us to Secure Your Wallet

Pre-Launch Security Checklist for web3 Projects

Development-Process Checklist

Walk-through: A Journey With Us to Secure Your Starknet Smart Contract

Walk-through: A Journey With Us to Secure Your ZKSync Smart Contracts

Walk-through: A Journey With Us to Secure Your L1 Blockchain

Walk-through: A Journey With Us to Secure Your Smart Contracts

Walk-through: A Journey With Us to Assure Your Users and Gain the Trust You Deserve

Walk-through: A Journey With Us to Build Secure and Scalable Dapp Architecture

Walk-through: a journey with us to secure your dApp

Walk-through: a journey with us to secure Solana Smart Contracts.

Audit Readiness Checklist

QuillAudits Periodic On-Chain Analysis of your web3 Project

Miscellaneous

← Back to home

Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.

About us

QuillAudits is providing pen-testing services to enhance the security of your blockchain project. We also offer advanced Ethereum, BSC, Tron, Matic (Polygon), Polkadot, Solana smart contracts audit, Blockchain Protocol Security, dApps Audits, and formal verification to ensure your platform's integrity.

Connecting with you - By this time, you must have been added to a closed group with the Pentesting Team. You would be connected with the Project Manager and the Pentesters through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!

It’s great to know that you are concerned about the security of your platform and want to make sure the utmost security of your users' Funds and Data. As we can see from the below Pie Chart the Majority of Hacks are happening due to vulnerabilities in Platform (23.66%) or Smart Contract (44.20%). So, we need to ensure that before coming into the full-fledged production stage it should have performed a security audit, and dApps pen testing and is safe enough for users to keep their money in your platform.

Multi Layer Pentest Process

Types of Vulnerabilities covered during Vulnerability Assessment & Pentesting Process :

• Injection
• Broken Authentication
• Sensitive Data Exposure
• Business Logic Review
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging and Monitoring
• Improper Certificate Validation
• Cross-Site Request Forgery (CSRF)
• Unrestricted Upload of File with Dangerous Type

We ensure your Pentesting goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the in-scope domain & repository, we do thorough scrutiny to provide you with the Final Audit Report. Let's dive deep into it and explore more.

Penetration testing methods

a) External testing (Black Box)

External penetration tests target the assets of a company that is visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access to and extract valuable data.

b) Internal testing (Grey Box)

In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.

Step 1: Information Gathering and Threat Modeling

In this step first, we gather documentation from your team like a whitepaper, logic flow diagram, audit scope, etc. Also, we are gathering information using a variety of techniques to gather information on a target. The most common methods are Reconnaissance, Enumeration, and OSINT. The Information gathered could be used for many things such as creating an Attack Tree or digging deeper for additional Information Gathering.

Aims of this step:

• Using OSINT to collect all data publicly
• Understanding the architecture of the application
• Finding & mapping threat entry points

Step 2: Testing/Discovery

The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using: • Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass. • Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.

Aims of this step:

• API Security Testing
• Static and Dynamic Testing
• Functional & Business Logic Error Testing
  • Focus on issues regarding security, attacks, mathematical errors, logical issues, etc.

What is a Business logic Review?

In this step, the pentester should understand the overall business logic. Typically, a pentester should understand various other components and how to code snippet function in a business and map the logic, business, and data flow of the application. So after that pentester trying broken or non-existent validation of user-supplied data might allow users to make arbitrary changes to application critical values or submit nonsensical input. Bypassing unexpected values into server-side logic, a pentester can potentially induce the application to do something that it isn't supposed to.

Step 3**: Exploitation**

In this step, the objective is to use any weaknesses or security loopholes found in the Discovery stage. This is frequently done manually to get rid of false positives. The exploitation phase also involves the exfiltration of data from the target and looking after perseverance.

This step includes:

• Using different tools of Automatic and Manual assessment
• Integrity Assessment
• Documenting Testing Discoveries
• Verifying Security Weaknesses and Vulnerabilities
• Exploiting Security Weaknesses and Vulnerabilities

Step 4: Initial Pentesting Report :

In the end, we would provide you with a comprehensive report, which we call the Initial Audit Report (IAR):

<aside> 🦋 How you can help - You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.

</aside>

• A Comprehensive vulnerability assessment & pentesting report.
• Encapsulates details of the Pentesting & solutions to the vulnerabilities (if we found any) in the in-scope domain.
• We expect you to resolve the identified bugs & make suitable changes to the code.

Note - Please acknowledge that once the In-Scope details are fixed, we start the Pentest Process. In case, you make any changes to the code in-between the process, we will be able to check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.

Step 5: Final Audit Report

After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.

So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is. The report would dig into detail about each issue, as well as analysis which would include mapping out steps to mitigate the vulnerability.

This phase includes: