Pen-testing a cheque deposit thick client application

We were contacted by the client to conduct a comprehensive Web Application Assessment and Penetration Testing of the target application that also includes all the ports and exploitation of findings. The exercise ended with multiple issues later divided into high, medium and low severity based on the impact. The sandbox was provided by the client for the testing purposes.

We went with a hybrid mode where we perform the scanning with an automated scanner and then manually validate the findings generated by the automated scanner. Post the automatic scan, we went with manually crafted checks to cover 360 degrees of testing. We conducted a comprehensive scan of all the in-scope system and digital assets for security misconfiguration to identify potential weaknesses which could lead to system compromise and potential PII data loss.

Multiple instances of Persistent cross-site scripting Full path disclosure Missing DMARC record HTML injection. Missing HTTP security headers.

Due to high-risk vulnerabilities it was possible to steal PII data and spoof the email address of the authorities which might have ended up a successful social engineering attack and could cause financial and reputation loss.