Pentesting of a Supply Chain Management Portal and Mobile Apps for a UK Company
The Customer is a UK financial technology company providing a supply chain finance portal that brings together banks, their clients and the clients’ suppliers. The portal facilitates negotiations between the clients and their suppliers and the purchasing and payment processes. It provides the banks with an option to approve their clients’ financial transactions or issue credits.
The Customer turned to ScienceSoft to get the security level evaluation of their supply chain management portal and mobile apps complementing it to reach the portal functionality from Android and iOS devices.
The Customer wanted to find out whether their web portal and mobile applications were vulnerable to the attacks from the outside and commissioned ScienceSoft’s security engineers to conduct black box penetration testing.
ScienceSoft’s security testing team performed black box penetration testing with the testing tools compliant with the ethical hacking methodology.
In the course of the penetration testing, ScienceSoft’s security engineers identified a number of vulnerabilities of different severity levels and gave the Customer the recommendations on how to address them:
- Strict transport security was not enforced in the web portal (low severity level).
The web portal failed to prevent users from unencrypted connections to it. SSL certificate verification was not ensured. Being able to modify a legitimate user’s network traffic, the attackers could use the Customer’s web portal as a platform for attacks against its users. ScienceSoft’s security testing team recommended enabling HTTP Strict Transport Security so that the web portal would instruct web browsers to only access the web portal using HTTPS.
- The IIS version was disclosed in the web portal (low severity level).
The disclosed information about the version of the Customer’s web server could help the attackers gain a greater understanding of the Customer’s internet information services and develop attacks targeted at the specific versions of IIS. ScienceSoft’s security testing team recommended the Customer to remove the information on the IIS version to improve the protection of the web portal.
- The debug flag in the manifest file was enabled in the mobile application for Android (high severity level).
The debug flag in the mobile app for Android was manually set to ‘true’ in the manifest file. It gave the hackers an opportunity to connect to an open debug port and disrupt the operation of the Customer’s mobile application. As a result, the hackers could get access to the sensitive data the Customer stores (banks’ clients’ confidential information, details on clients’ orders, etc.). ScienceSoft’s security testing team recommended the Customer to disable the debug flag in the manifest file.
- Certificate pinning was missing in the mobile applications for Android and iOS (medium severity level).
SSL certificate pinning is used to check the validity of the certificate used to encrypt data. The Customer did not have this parameter configured and implemented. If the attackers had enough experience to generate a valid certificate for the target domain, they could access the Customer’s portal and decrypt traffic. This could lead to the leakage of confidential data. ScienceSoft’s security testing team recommended the Customer to enable certificate pinning for the mobile apps for Android and iOS.
The Customer was provided with the assessment of the security level of their web portal and complementing Android and iOS mobile apps. Penetration testing performed by ScienceSoft’s security testing team allowed identifying several vulnerabilities in the Customer’s web portal and mobile applications. The Customer got the list of corrective measures aimed at increasing the protection level of their web portal and mobile applications.
Technologies and Tools
Metasploit, Nmap, SQLMap, Nikto, DIRB, Burpsuite, Nessus, Zmap