VA-PT of Educational ERP Management System - Cyber Security Case Study

Scenario

A growing platform as a school ERP system contracted us for performing full VAPT. As the system has to handle thousands of users. Client also allowed for performing web server VAPT for potential issues as well. ERP was having 60+ plug and play modules with Lakhs of live users and Hundred of Clients active on it. Challenge was to perform Penetration testing on Live server with daily bases updating code.

Testing methodology

The gray-box approach was applied as initial demo was provided by the client. The scanning part was covered with automated tools and utilized the information for identifying false positives. Later the filtered information was utilized for manual exploitation for avoiding any consequences. In terms of web server scanning and exploitation was performed in automated and manual manner respectively. The outcome of the entire exercise was categorized in high, medium and low severity issues. Primary test includes Penetration testing of Web Application, Server and Network. As system was on Production server having 3000+ daily transactions, penetration testing was conducted with taking care that system must not be down during day time.

Risk Found

    Combination of severe vulnerabilities found in the Educational ERP from which a major one found in Payment gateway integration which is used to take online feels from students and handle school accounting automatically. We were able to process a successful transaction of some thousand rupees of fees in ERP by actually just paying 1 rupee. Payment gateway was itself PCI-DSS certified but the integration done by ERP developer was vulnerable. This could lead to actual loss of School fees payment of approximate valuation of 7 Million USD (50Cr) transactions. ERP was also vulnerable with DDoS attack, due to which the live system can be down / destroyed that could lead to possible Reputation loss of current valuation of 10Cr of the brand - that was saved.

Business Risk

------------------