Penetration Testing for an Enterprise Resource Planning Platform
Customer
The Customer is a US-based provider of an enterprise resource planning (ERP) platform for produce industry. It helps automate and optimize production management, invoicing and accounting, sales, inventory management, logistics, and more.
Challenge
As a NY-headquartered provider of an ERP platform that contains a payment system, the Customer strives to stay compliant with NYDFS and PCI DSS cybersecurity requirements. After introducing a new web service to its platform, the Customer was looking for a competent penetration testing vendor to check the newly added components for vulnerabilities that could compromise the platform’s security.
Solution
Impressed by ScienceSoft’s 19 years of experience in IT security, 200+ successful cybersecurity projects, and proficiency in NYDFS and PCI DSS compliance, the Customer entrusted the penetration testing project to ScienceSoft’s Certified Ethical Hackers.
To investigate how a real-world malicious actor could detect and exploit potential vulnerabilities in the Customer’s ERP platform, ScienceSoft’s team decided to start with black box pentesting. Acting as outside attackers, they targeted the new web application, an API (with 100 endpoints), and 5 public IPs. At the next stage, they were provided with low-privilege user credentials to proceed with gray box penetration testing.
As a result, the team managed to reveal 13 security issues, including:
- Absent bearer token expiration timer, enabling a potential attacker to bypass authentication without entering a login and password.
- User enumeration vulnerability that could be used by hackers to discover valid usernames for subsequent brute-force attacks.
- Unlimited number of failed login attempts further enabling brute-forcing popular username and password combinations until the attackers found the one that worked.
- Absent single logout (SLO). Pressing the log out button in one application module didn’t lead to logout in the other modules.
- Missing secure cookie attributes. A malicious actor could attempt a man-in-the-middle-attack to get access to the content of the cookies and hijack a session, stealing authentication details or other sensitive information.
- Missing CSRF tokens that offer protection against cross-site request forgery, and more.
ScienceSoft’s team classified the detected vulnerabilities by their severity to help prioritize remediation steps and described the necessary corrective measures. They included:
- Revoking the bearer token after a user logs out, limiting the validity period of the token (e.g., to an hour).
- Using generic error messages in response to an invalid username or password entered during the login process.
- Setting up a limited number of failed login attempts, after which the attacked account is blocked for several minutes with an email notification to the account owner; implementing CAPTCHA.
- Configuring single logout (SLO) across all ERP application modules; implementing automatic session timeout.
- Adding security attributes to the cookies; limiting cookies lifetime.
- Adding CSRF tokens to all forms that allow users to perform any state-changing operations.
The entire pentesting project from planning to reporting on the results took 10 days.
Results
Thanks to the thorough pentesting performed by ScienceSoft, the Customer quickly identified the vulnerabilities that could expose its ERP platform to security breaches. The final report provided by ScienceSoft’s team served as actionable guidance for efficient vulnerability remediation and a valuable addition to the Customer’s compliance documentation.
Technologies and Tools
Metasploit, Nessus, Burp Suite, Acunetix, Nmap, Dirb, SQLmap, Postman.