VA-PT of HR Management Software - Cyber Security Case Study
The client contracted us for performing web VAPT for provided URLs only. As the product was HR Management system it became necessary for looking at information leakage issues and other authentication issues as well. Moreover, payment gateway was included as well. So VAPT was performed in live environment. The another challenge was port scanning was limited to certain ports provided by client only.
The VAPT has been done with gray-box approach. Automated tools were used for scanning by limiting them to provided scope only. Though for payment gateway passive scanning was used. The exploitation part was processed in manual manner by keeping active users in mind.
Improper session management was present which leads to other user's account take-over in unauthorized manner. Hence it was the user's data privacy breach. Further, along with other vulnerabilities, manipulation of payment gateway requests leads to full payment success by just actual transaction of 1 rupee. This leads to Possible loss of payment transaction worth INR. 3-4 Cr along with Customer data that can lead towards breach of GDPR standard and reputation loss of the business - that was saved.