August 02, 2018

VA-PT of Educational ERP management System

Data: ERP was having 60+ plug and play modules with Lakhs of live users and Hunderd of Clients active on it. Challenge was to perform Penetration testing on Live server with daily bases updating code.

Test: Primary test includes Penetration testing of Web Application, Server and Network. As system was on Production server having 3000+ daily transactions, penetration testing was conducted with taking care that system must not be down during day time. ERP was having online payment integration with multiple gateways. Test was to conduct for combination of Dynamically generated multiple user types with 60+ Modules with Dynamic right based access mechanism at view level + data level.

Risks:

  • Logical Security error in payment gateway integration which enable payment fraud. By paying 11 bucks, parents could pay thousands of bucks of fees for their student,
  • Code injections could lead to system exploitation resulting into system’s misbehaviour,
  • improper handling of session and coockies leads to unauthorised login without credential,
  • Server was not configured enough to avoid DDoS attack,
  • Possible to enter scripts into the system which could target database integrity,
  • Other 18 security vulnerabilities that can make system open to attacker
  • July 28, 2018

    Odoo Based CMS + QA Portal VA-PT

    Data: An Odoo based ERP Web Application with multi user admin panel and plug and play module purchase system.

    Test: The test was to provide overview of the available vulnerabilities into this existing system which led to few critical attack factors.

    Risks:

  • User’s session is hijacked due to which anybody to get into the account without authentication,
  • Code injections could lead to system exploitation resulting into system’s misbehaviour,
  • It was possible to enter scripts into the system which could target database integrity
  • Jun 16, 2018

    Hotels Management CMS

    Data: A very big CMS of reputed group which is being used by chains of Hotels across INDIA. It contained data of more than 1000 hotel's room details, customer details, booking details, payment details, tax details etc.

    Test: The test was to try and penetrate the CMS and look into the possible vulnerabilities of the system where we were successful in uploading a shell into the system and compromise the complete CMS along with the hotel’s data.

    Risks:

  • Able to download 4+ GB of CRM's database,
  • Hotel booking and registrations tampering,
  • Customer details compromised along with their booking IDs, room information, travel dates and payment details,
  • Reputational loss for the Hotels
  • February 15, 2018

    Firewall Configuration Security Testing

    Data: Firewall UTM/WEB.

    Test: Check of configurations for the firewall, found that all the settings were put into default only and no proper chanelization of traffic was restricted.

    Risks: Tresspassing into sensitive transmission of data over the network.

    February 15, 2018

    Online Banking site.

    Test:Few vulnerabilities from top standards

    Risks: May lead to elevating attacks going further.

    January 27, 2018

    Event Site VA-PT

    Data: Details of events and location.

    Test: This test was to perform more of a code review and walk through test for some unusual behaviour. It was found that there was a phishing paypal page implanted into the site's payment section. Going further we found a shell loaded into the root which enabled the attacker to get to the system itself.

    Risks: The whole system compromised with each and every information.

    January 02, 2018

    Donor Site VA-PT

    Data: Online shopping where the purchase leads to donation instead of profit making.

    Test: It lead to many of the OWASP top 10 vulnerablities along with the RFI/LFI attacks where one can run their own scripts within the onload event of the site's page. One can plant their scripts into the database as well.

    Risks: Sensitive data leakage, Customer's purchase details leakage, donation amount transfered to the attacker, database compromised.

    November 24, 2017

    E-Commerce VA-PT

    Data:typical Online shopping, carts and payment gateways.

    Test: It was vulnerable with almost 40% of the OWASP top 10 attacks.

    Risks: Customer detail leakage as database access was open. Cart item modifications - before payment we were able to place order for 10x items in same amount. The site was detected to be used as phishing site. Business reputation loss can happen.

    January 10, 2016

    Health Care Website (CMS) VA-PT

    Data: Doctor details, hospital details, patient details, undergoing treatments, healthcare devices used, online/remote control of patients devices, online health monitoring.

    Test: We were able to successfully get all the details and shockingly we it was possible to alter the data to an extent that could bring variation in the medical treatment of the patient that was monitored on-line. There were chips fitted into patient which were giving constant data to details to a remote doctor. Using these, doctors were able to provide shock to patient in case of bad health. We were able to change the frequency of automatic shock - that can cause patient's death.

    Risks: Human loss, Hospital and doctor's reputational loss.

    Positive SSL