November 28, 2018

VA-PT of Online Parcel Delivery Portal

Scenario: Fastest growing parcel delivery and parcel booking platform having thousands of live customers and 100s of daily parcel bookings faced issue of Customer Data leakage. The test was to provide in-depth Security Testing to find and fix all possible Security vulnerabilities.

Test: Initially started with tool based VA which moves towards penetration testing of Web Application and Server with manual techniques. Manual approach helps to find 6 Severe level and 9 High level vulnerabilities that resulted into total customer data loss and privacy loss.

Risk:

  • Improper handling of session and cookies led to unauthorized login without credential
  • Severe file upload vulnerability found that could destroy the whole server
  • User's original documents uploaded on the system were compromised and easily downloaded - hence no User privacy maintained.
  • November 06, 2018

    Cyber Attack Investigation for Casino Portal

    Scenario: Casino Portal's database was hacked and screenshots were sent to owner containing database of all other portals as well that are hosted on same server. We were contacted by Development Company to identify how it was happened.

    Approach: We did initial review of the server. It was IIS server containing more than 20+ applications running on it. Based on screenshot initially it was assumed that it was done using Shell upload. We have analysed all available Logs from IIS server but as it was Basic plan purchased by Development Company, no enough logs were detected. Few of other applications are detected with vulnerable login forms. SQL server logs are examined and few manual Penetration to system tried to detect if we were able to find any known possible vulnerability - to re-generate the scenario.

    Conclusion:

  • Possible SSH compromise was happened which leads to IIS access,
  • Brute-force attack was done on SQL Server which one genuine and other few like-looking user-names,
  • One Korean IP was found from which maximum trails made,
  • Possible to bypass few portal's login form with vulnerable scripts that allows system access.
  • August 02, 2018

    VA-PT of Educational ERP management System

    Data: ERP was having 60+ plug and play modules with Lakhs of live users and Hundred of Clients active on it. Challenge was to perform Penetration testing on Live server with daily bases updating code.

    Test: Primary test includes Penetration testing of Web Application, Server and Network. As system was on Production server having 3000+ daily transactions, penetration testing was conducted with taking care that system must not be down during day time. ERP was having on-line payment integration with multiple gateways. Test was to conduct for combination of Dynamically generated multiple user types with 60+ Modules with Dynamic right based access mechanism at view level + data level.

    Risks:

  • Logical Security error in payment gateway integration which enable payment fraud. By paying 11 bucks, parents could pay thousands of bucks of fees for their student,
  • Code injections could lead to system exploitation resulting into system’s misbehavior,
  • improper handling of session and cookies led to unauthorized login without credential,
  • Server was not configured enough to avoid DDoS attack,
  • Possible to enter scripts into the system which could target database integrity,
  • Other 18 security vulnerabilities that can make system open to attacker
  • July 28, 2018

    Odoo Based CMS + QA Portal VA-PT

    Data: An Odoo based ERP Web Application with multi user admin panel and plug and play module purchase system.

    Test: The test was to provide overview of the available vulnerabilities into this existing system which led to few critical attack factors.

    Risks:

  • User’s session is hijacked due to which anybody to get into the account without authentication,
  • Code injections could lead to system exploitation resulting into system’s misbehavior,
  • It was possible to enter scripts into the system which could target database integrity
  • Jun 16, 2018

    Hotels Management CMS

    Data: A very big CMS of reputed group which is being used by chains of Hotels across INDIA. It contained data of more than 1000 hotel's room details, customer details, booking details, payment details, tax details etc.

    Test: The test was to try and penetrate the CMS and look into the possible vulnerabilities of the system where we were successful in uploading a shell into the system and compromise the complete CMS along with the hotel’s data.

    Risks:

  • Able to download 4+ GB of CRM's database,
  • Hotel booking and registrations tampering,
  • Customer details compromised along with their booking IDs, room information, travel dates and payment details,
  • Reputational loss for the Hotels
  • February 15, 2018

    Firewall Configuration Security Testing

    Data: Firewall UTM/WEB.

    Test: Check of configurations for the firewall, found that all the settings were put into default only and no proper channelization of traffic was restricted.

    Risks: Trespassing into sensitive transmission of data over the network.

    February 15, 2018

    Online Banking site.

    Test:Few vulnerabilities from top standards

    Risks: May lead to elevating attacks going further.

    January 27, 2018

    Event Site VA-PT

    Data: Details of events and location.

    Test: This test was to perform more of a code review and walk through test for some unusual behavior. It was found that there was a phishing pay-pal page implanted into the site's payment section. Going further we found a shell loaded into the root which enabled the attacker to get to the system itself.

    Risks: The whole system compromised with each and every information.

    January 02, 2018

    Donor Site VA-PT

    Data: Online shopping where the purchase leads to donation instead of profit making.

    Test: It lead to many of the OWASP top 10 vulnerabilities along with the RFI/LFI attacks where one can run their own scripts within the onload event of the site's page. One can plant their scripts into the database as well.

    Risks: Sensitive data leakage, Customer's purchase details leakage, donation amount transfered to the attacker, database compromised.

    November 24, 2017

    E-Commerce VA-PT

    Data:typical Online shopping, carts and payment gateways.

    Test: It was vulnerable with almost 40% of the OWASP top 10 attacks.

    Risks: Customer detail leakage as database access was open. Cart item modifications - before payment we were able to place order for 10x items in same amount. The site was detected to be used as phishing site. Business reputation loss can happen.

    January 10, 2016

    Health Care Website (CMS) VA-PT

    Data: Doctor details, hospital details, patient details, undergoing treatments, health-care devices used, online/remote control of patients devices, online health monitoring.

    Test: We were able to successfully get all the details and shockingly we it was possible to alter the data to an extent that could bring variation in the medical treatment of the patient that was monitored on-line. There were chips fitted into patient which were giving constant data to details to a remote doctor. Using these, doctors were able to provide shock to patient in case of bad health. We were able to change the frequency of automatic shock - that can cause patient's death.

    Risks: Human loss, Hospital and doctor's reputational loss.

    Positive SSL