Pen-Testing of Automobile accessory designing Portal - Cyber Security Case Study

Scenario

We were contacted by the company for performing web VAPT. As it was live environment we were not allowed to perform DoS attacks and scope was limited. Though the exercise resulted with High, medium and low level severity issues.

Testing methodology

The provided environment was live and black-box methodology was applied to it. We performed automated scan with low intensity for avoiding any harm to live environment and users. Manual approach was chosen for exploitation.

Risk Found

    Outdated web server version easily exploitable using publicly available exploits.Unrestricted file upload leads to server takeover and sensitive information leakage. Directory Traversal potentially leads to sensitive information exposure.Improper session management leads to account takeoverLack of proper encyprtion results in capturing sensitive data via MiTM attack. Absence of secure flags helps attacker in exploiting session related issues.HTTP OPTION method enabled allows attacker to identify communication options to server.Clickjacking could play role in social engineering

Business Risk

Combination of serious vulnerabilities found in the web server and application code. Web server was outdated and hence leads to exploitation via publicly available exploits. Once the server access is taken, we found directory traversal and unrestricted file upload, using which we were able to gain unauthorized access of approximate "Yearly 3M$ worth automobile part films" - that was saved.