Web Application and API Pentesting for an Enterprise Mobility Solutions Vendor
Customer
The Customer is a US-based provider of innovative mobility and tracking solutions for businesses in healthcare, manufacturing, energy, retail, hospitality, and transportation.
Challenge
As a competent IT vendor, the Customer regards cybersecurity as one of its priorities and has a comprehensive security program in place. With regular security assessments being an integral part of this program, the Customer undergoes security testing of its products and IT infrastructure according to the fixed schedule or after any significant modifications. This time, the Customer was looking for a competent cybersecurity service provider to check its new web application and API for vulnerabilities.
Solution
Impressed with ScienceSoft’s sizable portfolio of projects in cybersecurity, the Customer decided to entrust its project to our security team.
As per the Customer’s request, the pentesting project was to include two stages:
- Black box penetration testing of a new web application that was added to the company’s website and 2 public IPs.
- Gray box penetration testing of the same web application and one API (up to 70 endpoints).
To ensure maximum consistency and efficiency of the security assessment, ScienceSoft’s testers performed penetration testing according to the OWASP Web Security Testing Guide and NIST SP 800-115.
In the course of black box testing, ScienceSoft’s team found 6 more web applications placed on the targeted IP addresses via reverse IP looking. They scanned these applications for vulnerabilities and attempted to exploit the detected security gaps. After that, the testers were provided with user and admin credentials to conduct gray box testing.
ScienceSoft’s experts were pleased to find out that the testing targets didn’t contain any critical vulnerabilities. However, they revealed 8 security issues of medium and low severity that could compromise the security of web applications and API, including:
- A web application using outdated library and frameworks: AngularJS 1.4.8 with 15 known vulnerabilities, ZURB Foundation 5.1.0 with 3 known vulnerabilities, jQuery 2.1.4 with 4 known vulnerabilities. They could enable an attacker to perform clickjacking, cross-site scripting, denial of service, or prototype pollution.
- Unlimited number of login attempts that made the web application vulnerable to brute-force attacks. A potential attacker was able to try every possible combination of digits, letters, and symbols until they discovered the combination of credentials that worked.
- A remote host supporting weak ciphers. As a result, sensitive information intercepted in a man-in-the-middle attack could be easily decrypted and used for subsequent attacks. For example, a potential intruder could decrypt HTTPS cookies containing session ID, hijack an authenticated session, and act as an authorized user.
- A remote service that accepts connection via insecure TLS 1.0 and 1.1.
ScienceSoft’s security testers classified the detected issues according to commonly used standards: OWASP TOP10, OWASP API TOP10, and NIST CVSS. They also described the necessary corrective measures, such as:
- Using the most recent versions of AngularJS, ZURB Foundation, and jQuery.
- Configuring the web server to disallow using weak ciphers.
- Limiting the number of failed login attempts.
- Disabling TLS 1.0 and 1.1, and more.
ScienceSoft’s team of two testers planned, carried out, and reported on the penetration testing project within 14 days.
Results
The Customer received a detailed description of the existing security gaps in its web applications and API, as well as an exhaustive remediation roadmap. With ScienceSoft’s guidance, the Customer’s IT team quickly resolved the existing security issues. Satisfied with the outcome and quality of ScienceSoft’s services, the Customer plans to engage our security team in its future security assessments.
Technologies and Tools
Postman, Vooki, Nessus, Burp Suite, Acunetix, Nmap, Netsparker.