Oct 19, 2021,

To,

Shri Amit Bora,

Manager
Bureau of Investment Promotion,
Udyog Bhawan, Jaipur,
Rajasthan – 302005

Dear Sir,

Sub: Proposal for Conducting Website Security Audit of Invest Rajasthan Website &
Application.

We thank you for the opportunity given to us for applying to undertake website Security
Audit of https://invest.mdigi.website/ & https://invest.mdigi.website/admin

We hope you find everything in order. Thanking you and hoping to hear from you soon. If
you need any further information / clarification, please feel free to contact the undersigned.
Regards,

For AAA Technologies Limited

Anjay Agarwal
Chairman & Managing Director
B.Com, LL.B(Gen), F.C.A., Grad. CWA, A.C.S.,
C.I.A. (USA), C.F.E. (USA), C.I.S.A. (USA),
PGDFERM, I.S.A., D.I.R.M., BS7799 Certified
Lead Implementer, A.B.C.I.(U.K.), ISO 27001
Certified Lead Implementer, ISO 27001
Certified Lead Auditor, BCMS Certified Lead
Implementer, CGEIT (USA), CEH, ECSA& LPT
COBIT Certified Assessor, CISA Certificate No.: 23850

AAA Technologies Ltd Page 1 of 13

Table of Contents

Scope of work ..................................................................................................3-4

Procedure for conduct of Website Security Audit ...............................................5

Commercial............................................................................................................6

Deliverables .......................................................................................................... 7

Company Overview ......................................................................................... 8 -10

Web Application Details.................................................................................. 11

AAA Technologies Ltd Page 2 of 13

 Web Application Scope of Work

Attack Type Description

Sr.
no
1. A1- Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker's hostile data can trick the
interpreter into executing unintended commands or accessing data
without proper authorization.

2. A2- Broken Application functions related to authentication and session

Authentication management are often implemented incorrectly, allowing attackers to

compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users' identities temporarily or
permanently.

3. A3-Sensitive Many web applications and APIs do not properly protect sensitive

Data Exposure data, such as financial, healthcare, and PII. Attackers may steal or
modify such weakly protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data may be compromised
without extra protection, such as encryption at rest or in transit, and
requires special precautions when exchanged with the browser.

4. A4-XML Many older or poorly configured XML processors evaluate external

External Entities entity references within XML documents. External entities can be
used to disclose internal files using the file URI handler, internal file
(XXE)
shares, internal port scanning, remote code execution, and denial of
service attacks

5. A5-Broken Restrictions on what authenticated users are allowed to do are often

Access Control not properly enforced. Attackers can exploit these flaws to access
unauthorized functionality and/or data, such as access other users'
accounts, view sensitive files, modify other users' data, change access
rights, etc

AAA Technologies Ltd Page 3 of 13

6. A6-Security Security misconfiguration is the most commonly seen issue. This is

Misconfiguration commonly a result of insecure default configurations, incomplete or

ad hoc configurations, open cloud storage, misconfigured HTTP
headers, and verbose error messages containing sensitive
information. Not only must all operating systems, frameworks,
libraries, and applications be securely configured, but they must be
patched/upgraded in a timely fashion.

7. A7-Cross-Site XSS flaws occur whenever an application includes untrusted data in

Scripting (XSS) a new web page without proper validation or escaping, or updates an
existing web page with user-supplied data using a browser API that
can create HTML or JavaScript. XSS allows attackers to execute
scripts in the victim's browser which can hijack user sessions,
deface web sites, or redirect the user to malicious sites.

8. A8-Insecure Insecure deserialization often leads to remote code execution. Even

Deserialization if deserialization flaws do not result in remote code execution, they

can be used to perform attacks, including replay attacks, injection
attacks, and privilege escalation attacks.

9. A9-Using Components, such as libraries, frameworks, and other software

Components with modules, run with the same privileges as the application. If a
vulnerable component is exploited, such an attack can facilitate
Known
serious data loss or server takeover. Applications and APIs using
Vulnerabilities components with known vulnerabilities may undermine application
defenses and enable various attacks and impacts

10. A10 Insufficient logging and monitoring, coupled with missing or

Insufficient_Loggi ineffective integration with incident response, allows attackers to

further attack systems, maintain persistence, pivot to more systems,
ng &Monitoring
and tamper, extract, or destroy data. Most breach studies show time
to detect a breach is over 200 days, typically detected by external
parties rather than internal processes or monitoring.

AAA Technologies Ltd Page 4 of 13

 Procedure for conduct of Website Security Audit

a) After receiving the work order and details as mentioned above, we would be

conducting first round of security audit.

b) If we find any vulnerability we will communicate the same to you and you

will ensure and remove the vulnerabilities.

c) You will then communicate to us that the vulnerabilities have been removed.

Thereafter, we shall conduct the final round of audit & send you the report.

d) In case, any subsequent or more audit is required to be conducted then that

would be charged extra as stated in the professional fees

e) We will take 9 -to 10 working days to start the audit.

f) The audit does not include risk mitigation.

g) The security audit would be conducted offsite.

AAA Technologies Ltd Page 5 of 13

 Commercial

Our Professional Fee for conducting one time security audit and one time compliance audit
mentioned below

Sr
No. Scope of Work Total offer Price in INRs.

1 Security audit of Invest Rajasthan Website & Professional Fee -89,000/-

Application. GST@18% -16,020/-

https://invest.mdigi.website/ Total Price - 105,020/-

https://invest.mdigi.website/admin

Changes in scope shall require pro-rata

adjustment of prices

The Amount Mentioned above is Including of GST Charges.

The same shall be payable as under:

100% on submission of website security audit report.
The cheque should be in favour of “AAA Technologies Limited”
100 % Payment after the completion of work.

AAA Technologies Ltd Page 6 of 13

 Deliverables

Website Security Audit Report and Certificate including recommendations.

AAA Technologies Ltd Page 7 of 13

 COMPANY OVERVIEW

✓ The Company, AAA Technologies Limited, is a Public Limited Company having

its registered office in Mumbai, India.
✓ The contact details of the company is:
278-280, F Wing, Solaris-1, Saki Vihar Road, Opp. L&T Gate No. 6, Powai, Andheri East,
Mumbai 400 072
✓ Office: +91 (22) 28573815 / 16
✓ Fax: +91 (22) 40152501
✓ The key contact details is:
✓ Mr. Anjay Agarwal, Chairman & Managing Director
✓ Mobile: 93222 65876 / 98210 87283
✓ e-mail: [email protected]; [email protected]
✓ Address: same as above
➢ Mr. Anjay Agarwal, Chairman & Managing Director is authorized to contractually
bind the organization for any proposal against this RFP.
➢ Brief History of the Company is as under:
✓ The company has been incorporated in October 2000 and specializing in IS
Audit, Information Security, IT Assurance and IT Governance. The company
has been rendering these services for more than a decade.
✓ The company was promoted by eminent Information Security maverick, Mr.
Anjay Agarwal
✓ To strengthen the internal processes, AAA Technologies have got ISO
9001:2008 Certified. The Company also got itself ISO 27001:2005 Certified
as it deals with confidential information of the clients
✓ As a testimonial to our expertise, following regulatory bodies and prominent
organisations have chosen to confer unto us empanelment:
▪ CERT-In (Government of India) as ‘Information Security
Auditing Organization’ for carrying out IT Security Audits
▪ Empanelled by Controller of Certifying Authorities, Ministry of
Communications and Information Technology, Government of India
for auditing technical and physical infrastructure of licensed /
prospective Certifying Authorities
▪ Empanelled by SEBI for conducting IS Audit
AAA Technologies Ltd Page 8 of 13
 ▪ Empanelled by Reserve Bank of India or conducting Information
systems/IS/IT/Audit with in RBI Bank for 3years.
▪ Empanelled by State Bank of India as Information Security
Service Provider (ISSP) for 5years for SBI Group
▪ Empanelled with Life Insurance Corporation of India
▪ Empanelled by National Highways Authority of India for conducting
Toll System Traffic and Security Audit
▪ Empanelled by Punjab National Bank to conduct Application Audit
▪ Associate Consultant to British Standards Institution and
▪ Empanelled “Trading System Auditor” with MCX-SX
▪ Empanelled by NICSI for IT Security Auditing
▪ Empanelled by National Stock Exchange for IT Security Auditing.
▪ Empanelled by Bombay Stock Exchange for IT Security Auditing.
▪ Empanelled by Bank Of India Empanelled by Bank of India as
Information Security and Audit Service Providers (ISASPs)
▪ Empanelled by Corporation Bank
▪ Empanelled by (CRISP), Madhya Pradesh.
▪ Empanelled by Centre for Good Governance, Hyderabad
▪ Empanelled by Telecom Regulatory Authority of India (TRAI) to
certify the Metering and Billing System of Service Providers
▪ Empanelled by Maharashtra State Government.
▪ Empanelled by Canara Bank.
▪ Empanelled by Tamil Nadu e-Governance Agency (TNeGA), to
Perform Third Party Security Assessment Test on IT Infrastructure of
Government Departments and Organisations in Tamil Nadu for Three
Years Period
▪ Empanelled by Corporation Bank for conducting Audit of Bank’s Data
Center, Applications, IT Network, Independent Assurance of the IS
Audit function and other Information Systems Audits till November
28, 2020
▪ Empanelled by India Post Payments Banks (IPPB) for conducting
periodic Information Security Audits
✓ Premier Independent Auditing and Consulting Company

AAA Technologies Ltd Page 9 of 13

 ✓ International Certified and Experienced professionals like CGEIT, CRISC,
CISA, CISM, CISSP,CEH, ISO 27001 LA, BS 25999, CFE, CA, MBA,
ABCI, CIA
✓ Contributor at International level in area of Information Security
✓ Cumulative experience of 1000+ man years
✓ Vast Business Domain and Technical Knowledge
✓ Received Maharashtra IT Awards from Maharashtra State Government
in the field of Security
✓ Top 20 Promising GRC Solution Providers 2016 India by CIO Review
✓ Companies Top 20 IT Service Companies 2014 by Silicon Review (the
only company is the filed of IS Audit / Information Security)
✓ Judged “Best Cyber Security Organisation” by Newsmaker Broadcasting
Corporation
✓ Received “Indian Achievers Award for Industrial Excellence” by Indian
Economic Development & Research Association
✓ Received “Indian Leadership Award for Information Technology” by All
India Achievers Foundation
✓ Rashtriya Udyog Ratna Award by National Education & Human Resource
Development Organisation
✓ International Award for Business Excellence (in Bangkok)
✓ AAA Technologies Limited has been rated as 20 Most Promising GRC
Solution Providers 2016 India by CIO Review
✓ Company of the year 2017 in IS Audit and Cyber Security by CEO Magazine
✓ 20 Most Promising Cyber Security Solution Provider 2017 by CIO Review
✓ 10 Most Trusted Cyber Security Companies 2017 by Insight Success
✓ 50 Best Indian Founded Companies 2017 by Silicon Review
✓ 20 Most Valuable Network and Solution Provider 2017 by Insight Success

AAA Technologies Ltd Page 10 of 13

 For Website Audit following details required

1. Company Name Mercury Communication Design Pvt Ltd

2 Address R-7, 203 , Park Saroj, Yudhisthir Marg, C
Scheme, Jaipur 302005
3 Contact Person Deepak Kumar jangid
4 Contact number 9983349249
5 Email id [email protected]

Website as a whole:

✓ Total Number of website to be audited : 1

✓ Total Number of Static pages. : 1

✓ Total Number of dynamic pages : 0

✓ Total Number of Input fields : 0

In Modules:

✓ Total number of Modules to be audited along with Total number of static pages and

Dynamic pages and input fields. : 4

✓ Types of user : Admin

✓ Roles of each user. : Single Role (Admin)

OTHER DETAILS

1) Website Name along with link and the credentials :

https://invest.mdigi.website/

https://invest.mdigi.website/admin
AAA Technologies Ltd Page 11 of 13
 Username : [email protected]

Password : In*ve@st#2021

2) Will the website be hosted on NIC Server/ SDC or other - Please specify?

NO

3) Will the audit be onsite or offsite or via VPN

onsite

4) Is the website on Intranet or Internet?

Internet

5) Will the audit be grey box testing or black box testing?

Contact to DOIT

6) Line of code

Approx 2500

7) Application Development Platform required

NO

8) Whether the application contains any content management System (CMS) (If yes then

which? (E.g. Joomla/Word Press /Drupal/Liferay etc.)

NO

9) Operating System Details (E.g. Windows-2003, Linux, AIX, Solaris, etc.)

Linux

10) Application Server with Version (E.g. IIS 5.0.Apache, Tomcat, etc. )

Apache

11) Front-end Tool [Server side Scripts] (E.g. ASP, Asp.NET, JSP, PHP, etc.)

PHP

12) Back-end Database (E.g. MS-SQL Server, PostgreSQL, Oracle, etc. )

PhpMySql

AAA Technologies Ltd Page 12 of 13

AAA Technologies Ltd Page 13 of 13