en flag +1 214 306 68 37
Web Application and API Penetration Testing for a Computer Vision Company

Web Application and API Penetration Testing for a Computer Vision Company

Industry
Information Technology

Customer

The Customer offers computer vision solutions to real estate businesses across 30 countries and has offices in EU and USA.

Challenge

The Customer's team of IT professionals is dedicated to creating user-friendly solutions with outstanding functionality and robust security. The Customer wanted to check its applications and APIs for security issues its team might have missed and prove their high security level to the existing and potential clients. Hence, the Customer was looking for a penetration testing vendor experienced in web security testing.

Solution

With 20 years in cybersecurity, Certified Ethical Hackers on board, and a security testing process based on the OWASP Web Security Testing Guide and NIST SP 800-115, ScienceSoft was chosen to perform the pentesting project.

To see if a potential intruder could find and exploit any vulnerabilities in the Customer’s 10 web applications and 7 APIs, ScienceSoft's pentesters applied the black box approach. Having no initial knowledge of the testing targets, they started with comprehensive vulnerability scanning. After analyzing the findings, they applied several attack scenarios to exhaust every opportunity to break the security of the web applications and APIs.

As a result, ScienceSoft's team was glad to report that the targeted web apps and APIs didn’t contain any critical security flaws. The testers revealed several vulnerabilities of low severity, such as:

  • An unrestricted number of failed login attempts. It allowed potential attackers to try brute-forcing user credentials for as long as they needed to find a working combination.
  • No limits on accessing the API gateway. It could facilitate brute-force attacks, increase the costs of a pay-as-you-go public cloud subscription, and slow down or even completely break down the API gateway.
  • Missing security headers that are needed to enhance the web apps' protection against clickjacking, cross-site scripting, and other common attacks.

ScienceSoft's security experts recommended fixing the detected issues without delay and offered the corrective measures for each one:

  • Adding CAPTCHA or locking out the account with an email notification to its owner after several failed login attempts.
  • Restricting the number of requests per client per time period (e.g., applying X-Rate-Limit headers); using Application Security Proxy/WAFs (e.g., AWS WAF).
  • Adding the X-Content-Type-Options, X-Frame-Options, HTTP Strict-Transport-Security headers.

After the Customer's team fixed the detected vulnerabilities, ScienceSoft's security experts ran another testing round and confirmed the enhanced security level of the targets.

Results

As a result of the penetration testing performed by ScienceSoft, the Customer's team was able to fix the minor security issues in its web applications and APIs. The Customer also received an attestation letter and security badges for the tested applications to communicate the testing results and their high-security status to its clients.

Technologies and Tools

Metasploit, Postman, Wireshark, Nessus, Burp Suite, Acunetix, Nmap.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies