Black Box Penetration Testing of the Payment IT Infrastructure
Customer
The Customer is a North American provider of services and products for financial institutions and small businesses. With offices in more than 30 cities across the United States and Canada, the company numbers over 4 million active small businesses and 5,000+ financial institutions among its customers.
Challenge
The Customer’s service set includes web services for processing and storing clients’ personal and financial data that can be of a great interest for potential intruders. The Customer decided to turn to a penetration testing provider to evaluate its webservers and web applications security and identify vulnerabilities by simulating attackers’ actions and unauthorized access to its data and IT resources.
Solution
Due to the strict time limitation that the Customer assigned to the project (7 days), the company’s website and webserver were chosen as the objects for pentesting. The major objective was to reveal if attackers could reach the Customer’s sensitive data and if other network objects could be put in danger in case an intruder hacks the website.
ScienceSoft’s pentester acted as an offender having access to the Customer’s network through the Internet only and producing technical attacks without using social engineering. It was the black box testing with the company name and URLs of the web applications given exclusively.
The web penetration testing was based on the OWASP TOP 10 methodology that represents the list of top 10 most dangerous security flaws of current web applications along with effective methods of dealing with those flaws.
The major methodological components such as cross-site scripting (XSS), security misconfiguration, sensitive data exposure and components with known vulnerabilities were applied to detect the probabilities to:
- Perform man-in-the-middle exploits (those taking advantage of the Internet and security software), including POODLE attacks.
- Hijack user sessions using cross-scripting (XSS)
- Perform null byte injections through webserver misconfiguration
- Inject plaintext into an application protocol stream
- Make collision attacks
ScienceSoft managed to reveal a range of vulnerabilities of different risk levels that could affect the company’s network and cause client data leaks. Therefore, the Customer was provided with a set of recommendations on the measures to take in order to mitigate risks and minimize the possibility of intrusion.
Results
ScienceSoft performed penetration testing in an extremely short timeframe of just one week. In spite of such a limit, the white hat hacker managed to accomplish the assessment of the Customer’s website and webserver, as well as revealed the most critical vulnerabilities that could be potentially used by attackers.
Fully satisfied with the provided services, the Customer is intended to continue the partnership with ScienceSoft and start a deeper analysis of its IT infrastructure.
Technologies and Tools
Nmap, sqlmap, metasploit, OpenVAS, w3af, BurpSuite, fierce, manual testing.