Gray Box Penetration Testing to Prevent Crypto Asset Theft
About Our Customer
The Customer is a European business consulting company providing technology management services and solutions.
Fintech Client Looking to Verify Its Trading Solution's Security
One of the Customer's clients, a fintech firm, wanted to evaluate the cyber protection of its solution for trading cryptocurrencies, NFTs, stocks, and other assets. Confident in ScienceSoft's cybersecurity and fintech competencies, the Customer engaged us to perform penetration testing on the solution's public network, API, and applications (web, Android, and iOS).
Security Misconfigurations and Weak Cryptography Revealed
After carefully analyzing the fintech firm's requirements and trading software specifics, ScienceSoft suggested the gray box approach for an in-depth security assessment within a short timeframe.
ScienceSoft's pentesting team examined the trading platform's design documentation to identify the most significant threats and potential attack vectors. During the vulnerability assessment stage, our experts used automated scanners to detect known vulnerabilities in the solution and then manually validated the scanning results to ensure zero false positives.
For the penetration testing, the Customer provided ScienceSoft with low-privileged user credentials for the target apps, network, and API. Following PTES, OWASP Web Security Testing Guide, OWASP Mobile Security Testing Guide, and NIST 800-115, our pentesters simulated the actions of a skilled intruder who has long-term access to the targets.
As a result, ScienceSoft revealed four weaknesses:
- Insecure protocol version (TLS 1.0) that could allow an attacker to access data exchanged between the server and the client.
- Use of weak SSL ciphers that an attacker could exploit to recover sensitive information like authentication tokens, cookies, and passwords.
- Public access to the web application's admin panel which could make it easier for an attacker to access sensitive data or modify the app's configuration.
- Insecure CORS configuration that an attacker could exploit to steal the users' sensitive data or assets like bitcoins.
ScienceSoft recommended appropriate measures to close these security gaps, including:
- Enforcing secure cryptographic protocols (TLS 1.2 and TLS 1.3).
- Configuring the applications to use strong ciphers, e.g., 128-bit block ciphers.
- Restricting access to the admin panel using VPN and firewall rules. As an additional security layer, ScienceSoft recommended setting up multi-factor authentication.
- Properly configuring the Access-Control-Allow-Origin header and server-side protection of sensitive data to ward off malicious cross-domain requests.
After the fintech firm applied the fixes, ScienceSoft validated the successful remediation with a quick retest round. The whole project, including the pentesting and the retest, took just nine days.
In-Depth Security Check of Fintech Trading Platform in 9 Days
Thanks to ScienceSoft's proficiency in authoritative OWASP and NIST methodologies and gray box approach, the Customer fulfilled its client's request for a prompt and comprehensive cybersecurity evaluation. In less than two weeks, ScienceSoft verified the public network, API, and web and mobile apps of the fintech client's trading platform. Using our remediation advice, the fintech firm successfully fixed the revealed issues and mitigated the risks of data breaches, asset theft, and reputational damage.
Technologies and Tools
Metasploit, Wireshark, Nessus, Burp Suite, curl, Acunetix, Nmap, dnsmap, DirB, MobSF, Shodan, Gitleaks, VirusTotal, Aquatone, Python, C, Perl.
