Gray Box Penetration Testing for a Digital Bank Operating in 60+ Countries

About Our Client

The Client is a US-based international digital bank that serves businesses from 60+ countries through its banking platform available on web and mobile.

Long-Term Partnership to Uphold Strong Cyber Defense of Fintech Solution

Trusting our experience in cybersecurity and fintech, the Client first turned to ScienceSoft for security testing in 2021, which helped the bank significantly improve its cybersecurity posture and achieve SOC2 compliance certification. Satisfied with the results of our cooperation, the Client regularly engages ScienceSoft for penetration testing to check for emerging vulnerabilities in its continuously evolving banking platform.

Gray Box Pentesting of Web and Mobile Banking Apps

During the fourth annual penetration testing, ScienceSoft's experts examined the Client's web, iOS, and Android applications using the gray box approach. Starting with a vulnerability assessment, our testers scanned the target apps and manually verified the findings to ensure accurate results. After eliminating false positives, ScienceSoft's experts tried exploiting the security weaknesses that had been found. The testing activities were based on PTES, OWASP Web Security Testing Guide, OWASP Mobile Security Testing Guide, and NIST 800-115 methodology and included:

• Checking software versions and application configurations.
• Performing input data manipulations, such as injections, overflows, and protocol violations.
• Examining authentication and authorization mechanisms.

ScienceSoft's penetration testers assessed and classified the identified issues according to OWASP TOP 10, OWASP TOP 10 Mobile, OWASP API TOP 10, and NIST CVSS frameworks. The pentest revealed two medium-severity, six low-severity, and three informational-severity security issues. The total of 11 security issues mainly included cryptographic failures and security misconfigurations. ScienceSoft suggested remediation measures for each issue, such as:

• Validating and sanitizing user input to prevent unvalidated redirects and forwards. Without proper validation, attackers could manipulate input data to redirect users to malicious websites (e.g., phishing sites that mimic the original website).
• Using a more secure block cipher mode for data encryption like Galois/Counter Mode (GCM) to replace Cipher Block Chaining (CBC) with PKCS7 padding. That would prevent adversaries from decrypting encrypted data in padding oracle attacks.
• Implementing a hard session timeout in inactive or idle mode for up to 15 minutes, which would reduce the chance of an attacker reusing a session on a public computer if the user forgets to log out from the application.
• Hiding the preview of the app's interface when switching between apps on mobile to avoid exposing sensitive information, such as an account balance and transaction history, when the banking app is running in the background.

Rapid Detection and Remediation of Security Issues

In just two weeks, ScienceSoft performed a thorough gray box pentesting of the web, iOS, and Android apps for a digital bank operating in 60+ countries. The Client received a comprehensive report detailing the pentesting results and corrective actions for each vulnerability, which helped the company further enhance the security of its banking platform.

Technologies and Tools

BurpSuite, SSLScan, Acunetix, Apktool, Jadx, MobSF, Radare2, PHP, Bash, Python, PowerShell.