Web Applications Penetration Testing for a Multinational Retail Chain

Customer

The Customer is a multinational retail chain that numbers 12,000+ stores operating across more than 30 countries in Europe, Asia, Africa and Latin America. The Customer focuses on multi-format and multi-channel services provided through hypermarkets, supermarkets, convenience stores, cash & carry stores, as well as via e- and m-commerce. As of 2015, the retailer reported over €100 billion in revenue.

Challenge

The Customer was planning to launch several web applications to improve digital customer experience at one of the regional branches. As the new applications were supposed to process customers’ personal information, the Customer decided to turn to a penetration testing provider in order to assess the security level of the applications before their release to market.

Solution

ScienceSoft’s penetration testers experienced in analyzing corporate web resources security took up the challenge. To deliver a comprehensive list of existing vulnerabilities, ScienceSoft offered to perform penetration testing not only for the initially requested web applications but also for the website with which these applications interact, to see if potential intruders could gain access to the Customer’s network.

ScienceSoft’s team executed security check in line with the black-box model that requires testers to simulate intrusion into the Customer’s network with the Internet access only and to carry out technical attacks without using social engineering.

Relying on the OWASP TOP 10 methodology that includes the most dangerous security flaws of web applications, our pentesters checked if the Customer’s web application and website are resistant to SQL injections, if there are flaws in the authentication or session management functions, and assessed if it is possible to gain access to the Customer’s sensitive data or any backups of that data.

The major attention was paid to the web resources protection against cross-site scripting (XSS), the possibility to steal users’ accounts and the presence of security misconfigurations that could lead to sensitive data leaks. ScienceSoft also examined the possibilities to:

• Bruteforce administrator or user accounts credentials 
• Steal users cookies and redirect users to other websites containing malware
• Apply clickjacking (an attempt to trick web users into clicking on something different from what they think they are clicking on)
• Perform man-in-the-middle attacks (the ones in which an attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other)
• Use a DNS server for DDoS attacks

On the whole, the tested web resources showed high protection level against attacks of various complexity. However, ScienceSoft revealed a number of vulnerabilities that could allow hackers to gain control of the system if these vulnerabilities are exploited together. Upon completing the testing, ScienceSoft prepared a list of recommendations on the optimal ways to patch these vulnerabilities and reduce the risk of a real intrusion.

Results

The performed penetration test allowed the Customer to have a detailed overview of the existing vulnerabilities in their web resources that could attract potential hackers aiming to steal sensitive data or harm the corporate network. Owing to the recommendations provided by ScienceSoft’s experts, the Customer is now able to improve their web applications’ protection and launch new secure services.

Technologies and Tools

w3af, metasploit, BurpSuite, Qualys online scanner, web-sniffer.net, manual testing based on the OWASP TOP10 methodology.