Web App Penetration Testing for a Learning Software Provider
Customer
The Customer is a European company with over 20 years of experience in developing, supporting and maintaining software products for knowledge and learning content management. Their clients mostly operate in education, finance, healthcare, retail and other domains.
Challenge
The Customer needed to evaluate the security level of their LCMS web app that they provided to their clients as SaaS. It was necessary that the app stayed highly secure and ensured the protection of the sensitive information of Customer’s clients. Since ScienceSoft proved to be a trusted partner during four years of the previous collaboration with the Customer, they turned to ScienceSoft to get penetration testing services.
Solution
ScienceSoft’s security engineers performed penetration testing according to the black box model (simulating the actions of a real attacker with strictly limited knowledge of the network). The security testing team used testing tools compliant with the ethical hacking methodology.
During the penetration testing, ScienceSoft’s security testing team identified four vulnerabilities of the Customer’s web application. The security engineers classified them according to their severity, reflecting the risk for the business processes of the Customer’s clients:
- Susceptibility to cross-site scripting (XSS) attacks – medium severity level.
- Password field with autocomplete enabled – low severity level.
- HTTP Strict Transport Security (HSTS) not enforced – low severity level.
- Susceptibility to login page password-guessing attacks – low severity level.
To protect the LCMS web application from cross-site scripting attacks, ScienceSoft’s security engineers recommended to validate users’ input data. The corrective measure involved ensuring input and output data control.
To tackle the problem of the password field autocomplete, the security testing team recommended preventing browsers from storing credentials entered into an HTML form. This measure can be implemented by switching off the autocomplete feature within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect individual fields).
The web security policy of the LCMS web app failed to prevent users from unencrypted connections to it. Therefore, attackers able to modify a legitimate user’s network traffic could use the LCMS web application as a platform for attacks against its users. ScienceSoft’s security testing team recommended enabling HTTP Strict Transport Security so that the web application would instruct web browsers to only access the web application using HTTPS.
To protect the LCMS web application from login page password-guessing attacks (brute-force attacks), ScienceSoft’s security engineers recommended implementing account lockout after a defined number of incorrect password attempts were taken. The number of attempts was left for the Customer to assign.
Results
ScienceSoft’s security engineers provided the Customer with the assessment of the security level of the LCMS web application. Penetration testing allowed identifying several vulnerabilities in the Customer’s web application. The Customer got the list of corrective measures aimed at eliminating the discovered security weaknesses in the LCMS web application and increasing the web app protection level. The Customer was satisfied with the work of ScienceSoft’s security engineers and expressed their intention to continue collaboration with ScienceSoft as a trusted provider of penetration testing services.
Technologies and Tools
Metasploit, Nmap, SQLMap, Nikto, DIRB, Burp Suite, Nessus, ZMap