en flag +1 214 306 68 37
Annual Pentest for a Global AdTech Company Revealed 18 Vulnerabilities

Annual Pentest for a Global AdTech Company Revealed 18 Vulnerabilities

Industry
Marketing & Advertisement

About Our Customer

The Customer is a global provider of a cookieless advertising platform. The company leverages AI technology for improved advertising targeting and engagement. Some of the company’s biggest clients include Canon, Microsoft, and American Express.

AI AdTech Company Looking for a Long-Term Cybersecurity Partner

Committed to its clients’ data security and privacy, the Customer was looking for an experienced vendor to evaluate the cyber protection of its advertising solution. Trusting our 20+ years in cybersecurity, the Customer turned to ScienceSoft for its first security testing in 2022 and later achieved SOC2 compliance certification. Satisfied with the service results, the Customer returned to ScienceSoft for another cybersecurity project in 2023.

Black and Gray Box Pentesting of AI-Powered Advertising Solution

ScienceSoft’s penetration testers examined the Customer’s digital advertising platform and ad impressions measurement solution. The testing activities were based on the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology.

Advertising platform pentesting

The testing started with a vulnerability assessment. Our experts ran automated scans on a total of 37 URLs belonging to client-facing websites, APIs, microservices, and AWS cloud resources, all serving the advertising platform. They followed with manual validation of the scan results to eliminate false positives.

To exploit the found vulnerabilities and evaluate their severity, ScienceSoft’s team performed pentesting. Our experts applied the black box approach to examine the target APIs, microservices, and AWS cloud resources. As for the client-facing app, ScienceSoft’s pentesters applied the gray box approach to gain more in-depth insights by simulating actions of an attacker with user access.

During the pentest, ScienceSoft revealed 7 security issues, two of which were of medium severity:

  • Lack of brute-force protection in the client-facing app. Our team could perform 8,800+ login attempts without being interfered by any anti-brute-force mechanisms like account lockout or IP blocking.
  • Insecure CORS configuration in multiple targets. The intruder could exploit this vulnerability to fetch the web server resources potentially containing users’ sensitive data. For example, our team could allow cross-sharing with a host of their choice by providing an Origin header in an http request.

Ad metrics application pentesting

ScienceSoft’s team performed vulnerability assessment and gray box pentesting under user and administrator roles to verify the security of the Customer’s ad metrics application (4 URLs). Our experts revealed 11 vulnerabilities to man-in-the-middle, session hijacking, clickjacking, injection, and other attacks that could lead to sensitive data breaches and malware distribution.

Remediation recommendations and retesting

As a result of the pentests, ScienceSoft identified 18 security issues of medium and low severity, including security misconfigurations, authentication failures, and injection flaws. Our pentesters assessed and classified the issues according to OWASP TOP 10, OWASP API TOP 10, and NIST CVSS frameworks and provided remediation advice, including:

  • Configuring HTTP security headers to enhance the protection against malicious cross-domain requests and such attacks as injections, cross-site request forgery, clickjacking, and content sniffing.
  • Using TLS 1.2 and TLS 1.3 protocols instead of the deprecated and vulnerable TLS versions 1.0 and 1.1.
  • Enforcing a strong password policy, rate limiting for authentication endpoints, multi-factor authentication, and account lockout or captcha mechanism to prevent brute force attacks.
  • Standardizing responses on authentication requests (e.g., Login and Forgot password pages) for existing and non-existing users to mitigate user enumeration attacks.
  • Implementing input validation and sanitization to prevent HTML injection and XSS attacks.

Using the guidelines provided by ScienceSoft, the Customer successfully improved its security controls, which was confirmed during a retest.

Malware Attacks and Data Breaches Mitigated

The second annual cybersecurity project comprised one black box and two gray box pentests and covered 41 URLs. ScienceSoft found 18 vulnerabilities in the Customer’s AI-powered advertising solution and evaluated their potential impact.

The AdTech company followed our remediation recommendations and promptly fortified its security posture. The Customer is fully satisfied with our partnership and plans to continue engaging ScienceSoft in future security testing projects.

Technologies and Tools

Acunetix, Burp Suite, Nikto, SQLMap, Sub 404, SSLScan, Nmap, DirB, Nessus, Netsparker, PHP, Bash, Python, PowerShell.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies