Exchange Security Audit

The SlowMist security team specializes in traditional network attacks and defenses. The relevant achievements of team members has been highly recognized by the world's leading institutions. Our exchange security audits is more than just a typical network audit, it’s built with a unique private key architecture along with years of extensive practical security knowledge. The related security services provided by SlowMist has covered top digital trading platforms in dozens of industries, whether centralized or decentralized.Security Audit: Our audits covers penetration testing topics in greater depth and detail than other penetration testing services. Through a combination of black box and gray box security audits, we are able discover vulnerabilities and propose solutions to our clients. As well as providing suggestions for improving security, and best security practices to prevent possible security risks in the future. The security audit will provide a more comprehensive practical basis for the construction of the enterprise security system, and issue a professional Security Audit Report according to the needs of the development team.

Contact Us

Processing Flow

Serial Number Audit Class Audit Subclass
1 Open Source Intelligence Gathering WHOIS information collection
Real IP discovery
Subdomain detection
Mail service detection
Certificate information collection
Web services component fingerprint collection
Port service component fingerprint collection
Segment C service acquisition
Personnel structure collection
GitHub source code leak locating
Google Hack detection
Discovery of the privacy leaked
2 App Security Audit App environment testing audit
Code decompilation detection
File storage security detection
Communication encryption detection
Permissions detection
Interface security test
Business security test
WebKit security test
App cache security detection
App Webview DOM security test
SQLite storage security audit
3 Server Security Configuration Audit CDN service detection
Network infrastructure configuration test
Application platform configuration management test
File extension resolution test
Backup, unlinked file test
Enumerate management interface test
HTTP method test
HTTP strict transmission test
Web front-end cross-domain policy test
Web security response head test
Weak password and default password detection
Management background discovery
4 Node Security Audit Node configuration security detection
Node data synchronization security detection
Node transaction security audit
Node communication security detection
Node open source code security audit
5 Identity Management Audit Role definition test
User registration process test
Account rights change test
Account enumeration test
Weak username strategy testing
6 Certification and Authorization Audit Password information encrypted transmission test
Default password test
Account lockout mechanism test
Certification bypass test
Password memory function test
Browser cache test
Password strategy test
Security quiz test
Password reset test
OAuth authentication model test
Privilege escalation test
Authorization bypass test
Two-factor authentication bypass test
Hash robustness test
7 Session Management Audit Session management bypass test
Cookies property test
Session fixation test
Session token leak test
Cross Site Request Forgery (CSRF) test
Logout function test
Session timeout test
Session token overload test
8 Input Security Audit Cross Site Scripting (XSS) test
Template injection test
Third-party component vulnerability test
HTTP parameter pollution test
SQL injection test
XXE entity injection test
Deserialization vulnerability test
SSRF vulnerability test
Code injection test
Local file contains test
Remote file contains test
Command execution injection test
Buffer overflow test
Formatted string test
9 Business Logic Audit Interface security test
Request forgery test
Integrity test
Overtime detection
Interface frequency limit test
Workflow bypass test
Application misuse protection test
Unexpected file type upload test
Malicious file upload test
10 Cryptographic Security Audit Weak SSL/TLS encryption, insecure transport layer protection test
SSL pinning security deployment test
Non-encrypted channel transmission of sensitive data test
11 Hot Wallet Architecture Security Audit -
12 Private Key Management System Security Audit -

Following the HKSFC’s latest requirements and the international OWASP standards, SlowMist has organized a checklist for HKSFC-compliant security audits. By deeply analyzing HKSFC’s circulars and guidelines and leveraging years of blockchain security experience, SlowMist has developed a HKSFC-compliant security audit framework, also aligning with OWASP international standards for Web, iOS, and Android, ensuring project compliance with HKSFC while adapting to OWASP standards, encompassing:

1 HKSFC’s 23 Compliance Requirements
2 OWASP Web’s 13 Compliance Requirements
3 OWASP Android’s 7 Compliance Requirements
4 OWASP iOS’s 7 Compliance Requirements
5 Over 170 security audit items compiled by SlowMist

With the new virtual asset policies, the blockchain sector embraces fresh opportunities, marking Web3 industry as the innovation frontier for entrepreneurs and builders. To safeguard user assets, rights, and market stability, compliance is an inevitable trend, with regulatory oversight on the cryptocurrency industry maturing. Since its establishment, SlowMist has been embracing compliance and regulation, offering compliance security audit services. SlowMist’s security team continually translates frontline security capabilities into corresponding compliance check items, providing compliance security audit services for outstanding projects within the Web3 industry.

Learn more

Security Research

Customer Sample

Back To Top