Pentesting and a Phishing Campaign for a Web Design Platform
Customer
The Customer is a US-based SaaS company that has created a powerful web design platform. The platform functionality allows individual web designers, marketing agencies, and hosting companies to build sleek and agile websites.
Challenge
To maintain its reputation as a secure business, the Customer takes a proactive approach to its cyber defense and performs regular security checks of its web platform. Aware of the scale and potential impact of human-based cyberattacks, the Customer is also dedicated to building corporate security culture and raising the cyber awareness of its employees.
After a recent modification of its web platform, the Customer was looking for an experienced penetration testing vendor that would also be proficient in social engineering techniques.
Solution
Due to ScienceSoft’s versatile cybersecurity expertise and a solid portfolio of successful projects in the field, the Customer chose ScienceSoft over other pentesting vendors. Our security team was to test the following web platform and IT infrastructure components: 2 web applications, 1 API with 100 endpoints, 4 public-facing IPs. Another key task was to organize a phishing campaign to assess the security awareness of the Customer’s employees.
To meet the 14-day project deadline set by the Customer, ScienceSoft provided a team of two experienced ethical hackers.
1. Penetration testing
ScienceSoft’s team started with black box testing to see how a potential attacker with no previous knowledge of the targets could try to break through the security perimeter of the web platform. After that, the team switched to the gray box approach: the testers were provided with credentials for a default user role. They explored how an intruder could compromise the web platform or its infrastructure once they gained low-privileged access to the web apps and APIs. While planning and executing the pentests, the team was following the OWASP Web Security Testing Guide and NIST SP 800-115 practices.
As a result of the performed activities, ScienceSoft’s team revealed several issues that could compromise the web platform’s security. The most critical ones included:
- Missing user input validation in one of the web apps, exposing it to cross-site scripting (XSS) and SQL injection attacks.
- Email enumeration vulnerability allowing a malicious actor to define valid emails and use them for further brute-force or social engineering attacks.
- A misconfigured web server leaking sensitive information about the website’s internal architecture and the tech stack used in its development.
To fix the detected vulnerabilities, ScienceSoft’s security experts recommended:
- Implementing proper user input validation and filtering.
- Disabling email enumeration, implementing protection against brute-force attacks.
- Configuring the web server to restrict access to potentially sensitive files.
2. Email phishing campaign
ScienceSoft’s ethical hackers simulated bulk email phishing attacks, targeting 200 of the Customer’s employees. The testers used emails with malicious links, fake login forms, and executable files. The campaign showed that most of the users followed the necessary precautions: even those who opened the malicious emails did not click on the links they contained. However, there were several cases of unsafe behavior where employees did click on the malicious links.
ScienceSoft’s testers were pleased to confirm that the existing cybersecurity training processes established by the Customer were effective enough. They recommended to conduct regular social engineering testing to keep the employees aware of the ever-evolving cyber threats and timely detect those that require additional training.
Results
Within just two weeks, the Customer received a detailed report on the vulnerabilities compromising the security of its newly modified web design platform, complete with actionable remediation guidelines. The Customer was able to promptly fix the detected security issues and ensure full protection of the end users’ data. Owing to the phishing campaign conducted by ScienceSoft, the Customer received proof of the high cybersecurity awareness of its employees and was able to identify those who needed additional training.
Technologies and Tools
Metasploit, Nessus, Burp Suite, Acunetix, Nmap, Nikto, Snyk, Dirb.