Pentests

Overview

Nullify runs continuous, hands-off penetration tests as a deep assessment of your deployed applications. These tests detect authentication and business logic flaws by exploiting the weaknesses discovered during code review, leveraging the comprehensive knowledge model built from analyzing your codebase. Nullify maps endpoints, replays authenticated flows, crafts payloads informed by code-level vulnerabilities, and validates exploit chains with reproduction evidence.

Triggering Pentests

Pentests support both on-demand and scheduled execution:

On-Demand

Triggered via API endpoint immediately
Start pentest for specific application
Full control over scan parameters
Immediate execution with results tracking

Scheduled (Optional)

Daily, weekly, or monthly frequencies
Configurable start time with timezone support
Associated with cloud integrations (AWS, Azure, GCP)
Can be enabled/disabled per application

Most organizations use on-demand pentests triggered by:

New application deployments
Major feature releases
Security Program Management campaigns
Post-remediation validation

Supported Application Types

Nullify pentests REST and GraphQL APIs:

REST APIs

OpenAPI/Swagger schema-based testing
Automatic schema discovery (checks /openapi.json, /swagger.json, /api-docs)
Fuzzing of path parameters, query strings, request bodies
Microsoft RESTler integration for intelligent API testing

GraphQL APIs

Introspection query analysis
Mutation and query testing
Schema-based attack generation
Authorization matrix testing across resolvers

Authenticated Testing

Nullify supports comprehensive authenticated pentest workflows:

Authentication Methods

Bearer Tokens: JWT, OAuth2 access tokens
Basic Auth: Username/password pairs
OAuth Flows: Authorization code, client credentials
Custom Headers: API keys, custom authentication schemes
Login Flows: POST to login endpoint with credentials

Single-User Testing

Tests authenticated endpoints with a single user context:

auth:
  method: "bearer"
  token: "${API_TOKEN}"
  headers:
    X-API-Key: "${API_KEY}"

Authorization Matrix Testing

Tests access control across multiple user roles:

auth:
  users:
    - role: "admin"
      method: "bearer"
      token: "${ADMIN_TOKEN}"
    - role: "user"
      method: "bearer"
      token: "${USER_TOKEN}"
    - role: "readonly"
      method: "bearer"
      token: "${READONLY_TOKEN}"

Matrix Analysis:

Validates each role can only access authorized endpoints
Detects privilege escalation opportunities
Identifies broken access control (IDOR, vertical/horizontal escalation)
Tests for missing authorization checks

Pre-Authentication Validation

Before testing begins, Nullify:

Authenticates all configured users
Fails fast if any user cannot authenticate
Validates tokens/credentials are valid
Maintains authenticated sessions throughout testing

Request Chaining & Exploit Validation

Nullify validates vulnerabilities through multi-stage exploitation:

Stateful Session Management

Maintains correlation IDs across requests
Preserves authentication context throughout chains
Tracks session state and cookies
Supports multi-step workflows

Fuzzing Integration

Replaces FUZZ tokens in URLs, headers, query params, and bodies
Custom wordlists for targeted fuzzing
Up to 1000 fuzz values per parameter
Concurrent execution (10 requests simultaneously)
Response analysis (status codes, sizes, timing anomalies)

Exploit Chain Execution

Example multi-stage attack:

Endpoint Discovery → Identify API endpoints via schema
Parameter Fuzzing → Find injection points
SQL Injection → Extract database credentials
Lateral Access → Use credentials to access admin endpoints
Data Exfiltration → Demonstrate data breach capability

Response Analysis & Iteration

Parses responses (status, headers, body)
Extracts data from responses for subsequent requests
Analyzes error messages for information disclosure
Adapts strategy based on application behavior
Up to 50+ minute execution time for complex chains

Vulnerability Coverage

Pentests validate:

Injection Flaws: SQL, NoSQL, Command, LDAP, XPath
Broken Authentication: Weak passwords, session fixation, token manipulation
Broken Authorization: IDOR, privilege escalation, missing access controls
Security Misconfiguration: Debug mode, default credentials, verbose errors
Business Logic Flaws: Price manipulation, workflow bypass, race conditions
SSRF: Server-side request forgery with cloud metadata access
XXE: XML external entity injection
File Upload: Malicious file upload and execution

Integration with Code Analysis

Pentests leverage findings from Code Review:

SAST Intelligence:

Code vulnerabilities (CWEs) guide pentest strategies
Known injection points prioritized for testing
Vulnerable code patterns inform payload selection

SCA Intelligence:

Dependency vulnerabilities (CVEs) inform exploit attempts
Version-specific exploits (e.g., Log4Shell) validated
Supply chain weaknesses tested in live environment

Secrets Intelligence:

Discovered credentials used for authenticated testing
API keys validated against actual services
Token expiration and scope tested

Application Management

Every pentest must be associated with an Application:

Application Attributes:

Name and description
One or more instances (URLs/endpoints)
Business criticality level
Environment (dev, staging, prod)
Pre-configured credentials
Scan preferences and schedules

Instance Configuration:

Base URL for testing
API schema location (file path, URL, or auto-discovery)
GraphQL endpoint (if applicable)
Authentication requirements

Evidence & Reporting

Pentest findings include:

Request/Response Pairs: Full HTTP traffic demonstrating vulnerability
Exploit Steps: Detailed reproduction instructions
Impact Analysis: Business impact and blast radius
Fix Guidance: Specific remediation recommendations
Screenshots: Visual proof of exploitation (where applicable)
Video Recordings: Optional video walkthrough of exploit chain

Safety & Rate Limiting

Pentests respect production stability:

Adaptive Rate Limiting: Backs off if application shows stress
Distributed Locking: Prevents concurrent scans of same application
Timeout Handling: Graceful degradation on slow responses
Emergency Stop: Aborts on systemic failures (auth expired, target down)
Failure Distinction: Separates hypothesis failures from environmental issues

Workflow Integration

Pentest findings flow into:

Jira: Auto-created tickets with severity-based prioritization
Slack: Real-time notifications for critical findings
GitHub/Bitbucket: Correlation with source code repositories
Security Program Management: Campaign-driven remediation tracking
Remediation: Prioritized for auto-fix when applicable

Credential Isolation

Pentests use isolated credential context:

Credentials marked as pentest context only
Cannot access bug hunt-specific credentials
Credentials never logged in clear text (SOC2 compliant)
Automatic redaction in logs and reports

Configuration

Configure pentests during Onboarding:

Applications: Define target applications and instances
Credentials: Add authentication credentials for testing
Schedules: Set up optional recurring scans
Scope: Specify included/excluded endpoints

Differences from Bug Hunts

Aspect

Bug Hunts

Pentests

Scope

External attack surface (domains, IPs)

Known applications (APIs, web apps)

Discovery

Subdomain enumeration, port scanning

API schema analysis, endpoint mapping

Depth

Passive reconnaissance, theory-based

Active exploitation with validation

Credentials

Bughunt context

Pentest context (isolated)

Safety

Read-only, 1 req/sec max

Controlled exploitation, adaptive rate limits

Evidence

Network maps, service inventory

Request/response pairs, exploit chains

Scheduling

Daily/weekly/monthly

On-demand + optional scheduling

PreviousBug Hunts NextEngagement Workflow

Last updated 1 day ago

Was this helpful?