Web Application Penetration Testing for a European Bank

Customer

The Customer is a European bank with $300+ mln in total assets and more than 40 national branches. The bank provides a whole spectrum of banking services for private and corporate customers.

Challenge

The bank sought for penetration testing services to evaluate the overall security of certain web applications and check up how protected their customers’ sensitive information was. The bank turned to ScienceSoft’s experts who had carried out projects on information security, fraud protection and penetration testing for banks with a world-known reputation. ScienceSoft was requested to test web applications that allowed the bank’s customers to use popular banking services, therefore implied processing and storing of personal information (e.g., payment card numbers, transaction details, phone numbers and more).

Solution

To carry out high-quality, comprehensive testing of the web applications, ScienceSoft’s penetration testers used the OWASP Top 10 methodology. This methodology allows for identifying the most critical security flaws of web applications, as well as provides a detailed guidance on how to eliminate detected vulnerabilities. To ensure accurate results, ScienceSoft’s team used both manual and automated testing tools and techniques.

The pentesters chose the black-box testing model that implied simulation of various types of cyber-attacks with the Internet access only. This type of testing repeats a real scenario of an outside attack that would exploit web app deviations to let the attacker reach critical data.

During the test, ScienceSoft’s specialists applied a range of testing methods to evaluate the resistance of the web apps against SQL injections, cross-site scripting and cross-site request forgery, as well as to detect security misconfigurations, components with known vulnerabilities, invalidated redirects and forwards, and more. The pentesters also performed sophisticated brute force attacks to check the reliability of authentication security controls.

Penetration testing for the banking institution revealed several vulnerabilities that fell into 4 categories as defined in the OWASP methodology. To help the Customer patch these security gaps, ScienceSoft provided a list of feasible measures to restore the required level of security and customer data protection in the shortest period of time.

Results

ScienceSoft performed 10 different penetration tests to analyze the security of the Customer’s web apps. The testing revealed 4 types of vulnerabilities classified according to the risk levels defined in the methodology. ScienceSoft’s experts drew up a detailed remediation plan and recommended the Customer to focus on the authentication and data validation issues as fundamental for protecting sensitive information.

Technologies and Tools

Methodology: OWASP Top 10.

Tools: BurpSuite, Acunetix, Google Chrome Developer Tools, Python, WPScan, Nessus, Nmap, sqlmap, Metasploit.