VA-PT of HR Management Software - Cyber Security Case Study

Scenario

The client contracted us for performing web VAPT for provided URLs only. As the product was HR Management system it became necessary for looking at information leakage issues and other authentication issues as well. Moreover, payment gateway was included as well. So VAPT was performed in live environment. The another challenge was port scanning was limited to certain ports provided by client only.

Testing methodology

The VAPT has been done with gray-box approach. Automated tools were used for scanning by limiting them to provided scope only. Though for payment gateway passive scanning was used. The exploitation part was processed in manual manner by keeping active users in mind.

Risk Found

    Broken Authentication & Improper session management potentially leads to account takeover Open-redirection affecting clients by redirecting them to malicious site. Payment Gateway manipulation affecting payments and end users. Injection flaws with impact of potential data leakage .

Business Risk

Improper session management was present which leads to other user's account take-over in unauthorized manner. Hence it was the user's data privacy breach. Further, along with other vulnerabilities, manipulation of payment gateway requests leads to full payment success by just actual transaction of 1 rupee. This leads to Possible loss of payment transaction worth INR. 3-4 Cr along with Customer data that can lead towards breach of GDPR standard and reputation loss of the business - that was saved.