contact@scnsoft.com en flag +1 214 306 68 37
en flag +1 214 306 68 37
Contact us
Pentesting and a Phishing Campaign for a Web Design Platform

Pentesting and a Phishing Campaign for a Web Design Platform

Industry
Information Technology

Customer

The Customer is a US-based SaaS company that has created a powerful web design platform. The platform functionality allows individual web designers, marketing agencies, and hosting companies to build sleek and agile websites.

Challenge

To maintain its reputation as a secure business, the Customer takes a proactive approach to its cyber defense and performs regular security checks of its web platform. Aware of the scale and potential impact of human-based cyberattacks, the Customer is also dedicated to building corporate security culture and raising the cyber awareness of its employees.

After a recent modification of its web platform, the Customer was looking for an experienced penetration testing vendor that would also be proficient in social engineering techniques.

Solution

Due to ScienceSoft’s versatile cybersecurity expertise and a solid portfolio of successful projects in the field, the Customer chose ScienceSoft over other pentesting vendors. Our security team was to test the following web platform and IT infrastructure components: 2 web applications, 1 API with 100 endpoints, 4 public-facing IPs. Another key task was to organize a phishing campaign to assess the security awareness of the Customer’s employees.

To meet the 14-day project deadline set by the Customer, ScienceSoft provided a team of two experienced ethical hackers.

1. Penetration testing

ScienceSoft’s team started with black box testing to see how a potential attacker with no previous knowledge of the targets could try to break through the security perimeter of the web platform. After that, the team switched to the gray box approach: the testers were provided with credentials for a default user role. They explored how an intruder could compromise the web platform or its infrastructure once they gained low-privileged access to the web apps and APIs. While planning and executing the pentests, the team was following the OWASP Web Security Testing Guide and NIST SP 800-115 practices.

As a result of the performed activities, ScienceSoft’s team revealed several issues that could compromise the web platform’s security. The most critical ones included:

  • Missing user input validation in one of the web apps, exposing it to cross-site scripting (XSS) and SQL injection attacks.
  • Email enumeration vulnerability allowing a malicious actor to define valid emails and use them for further brute-force or social engineering attacks.
  • A misconfigured web server leaking sensitive information about the website’s internal architecture and the tech stack used in its development.

To fix the detected vulnerabilities, ScienceSoft’s security experts recommended:

  • Implementing proper user input validation and filtering.
  • Disabling email enumeration, implementing protection against brute-force attacks.
  • Configuring the web server to restrict access to potentially sensitive files.

2. Email phishing campaign

ScienceSoft’s ethical hackers simulated bulk email phishing attacks, targeting 200 of the Customer’s employees. The testers used emails with malicious links, fake login forms, and executable files. The campaign showed that most of the users followed the necessary precautions: even those who opened the malicious emails did not click on the links they contained. However, there were several cases of unsafe behavior where employees did click on the malicious links.

ScienceSoft’s testers were pleased to confirm that the existing cybersecurity training processes established by the Customer were effective enough. They recommended to conduct regular social engineering testing to keep the employees aware of the ever-evolving cyber threats and timely detect those that require additional training.

Results

Within just two weeks, the Customer received a detailed report on the vulnerabilities compromising the security of its newly modified web design platform, complete with actionable remediation guidelines. The Customer was able to promptly fix the detected security issues and ensure full protection of the end users’ data. Owing to the phishing campaign conducted by ScienceSoft, the Customer received proof of the high cybersecurity awareness of its employees and was able to identify those who needed additional training.

Technologies and Tools

Metasploit, Nessus, Burp Suite, Acunetix, Nmap, Nikto, Snyk, Dirb.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

Get in touch instantly

Call us Live chat WhatsApp Email us

More Case Studies

Share:

facebook twitter linkedin