Web Application Penetration Test for a Tokenization Services Provider in 7 Days

Customer

The Customer is a US-based fintech company focusing on tokenization services. They deliver consultations and technology solutions to help businesses tokenize digital or physical assets, trade and manage them.

Challenge

The Customer needed to test their two newly created web apps that helped users create and manage tokenized securities. They wanted to find out if the apps contained any security gaps that could enable hackers to get hold of users’ digital assets, steal or modify sensitive personal and financial data, or cause the web applications’ failure. The Customer didn’t have security testing engineers able to perform this task in their in-house team, so they were looking for an expert penetration testing vendor.

Solution

Within the 7-day period, ScienceSoft’s experts performed security testing according to the OWASP Web Security Testing Guide. They followed the black box testing method (having strictly limited knowledge of the testing targets) to simulate real-world external attacks on the Customer’s web applications. The testing team combined automated vulnerability scanning with manual analysis of scanning results to reveal potential entry points for cyberattacks and used manual testing to exploit the uncovered vulnerabilities.

Detecting and exploiting vulnerabilities

ScienceSoft’s team checked the Customer’s applications against the most critical web app security risks according to the OWASP TOP 10 checklist: injections, broken authentication, broken access control, sensitive data exposure, XXE, XXS, security misconfigurations, insecure deserialization, using unpatched or outdated libraries and frameworks with known vulnerabilities, insufficient logging and monitoring of user activity.

The pentesters reported all found vulnerabilities classifying them by their severity and likelihood of exploitation. Among the critical issues were API vulnerabilities related to security misconfigurations that could potentially enable brute-force and man-in-the-middle attacks.

Upon exploiting the found vulnerabilities, ScienceSoft’s security experts offered corrective measures for all detected security gaps: implementing brute-force protection, disabling cross-origin resource sharing (CORS) or configuring a list of trusted domains that would have access to APIs, replacing outdated TLS protocols with up-to-date versions , and more.

Retesting fixed vulnerabilities

Two weeks later, when the Customer’s IT team fixed the detected security gaps, ScienceSoft’s experts retested the web applications and confirmed their increased security level.

Final reporting

ScienceSoft’s security team delivered the final report on the penetration testing process, its findings and retesting results. They also recommended gray box penetration testing to study potential security flaws at a deeper level and social engineering testing through email phishing simulation to check if the Customer’s employees could withstand email-related security attacks.

Results

The Customer got a clear view of the vulnerabilities in their web applications and a detailed remediation plan for them, which helped increase the overall level of the web applications’ security. The Customer also got practical advice on further testing activities to check resilience to other types of hacking, including human-based attacks.

Technologies and Tools

Metasploit, Nessus, Burp Suite, Acunetix, Nmap, sslscan, dirb, custom scripts for the exploitation of vulnerabilities (written in Python, C, Perl)