Data: ERP was having 60+ plug and play modules with Lakhs of live users and Hundred of Clients active on it. Challenge was to perform Penetration testing on Live server with daily bases updating code.
Test: Primary test includes Penetration testing of Web Application, Server and Network. As system was on Production server having 3000+ daily transactions, penetration testing was conducted with taking care that system must not be down during day time. ERP was having on-line payment integration with multiple gateways. Test was to conduct for combination of Dynamically generated multiple user types with 60+ Modules with Dynamic right based access mechanism at view level + data level.
Risks: Logical Security error in payment gateway integration which enable payment fraud. By paying 11 bucks, parents could pay thousands of bucks of fees for their student, Code injections could lead to system exploitation resulting into system’s misbehavior, improper handling of session and cookies led to unauthorized login without credential,Server was not configured enough to avoid DDoS attack, Possible to enter scripts into the system which could target database integrity, Other 18 security vulnerabilities that can make system open to attacker