Web Application Penetration Testing for a Tokenization Services Provider
The Customer is a US-based fintech company focusing on tokenization services. They deliver consultations and technology solutions to help businesses tokenize digital or physical assets, trade and manage them.
The Customer needed to test their two newly created web apps that helped users create and manage tokenized securities. They wanted to find out if the apps contained any security gaps that could enable hackers to get hold of users’ digital assets, steal or modify sensitive personal and financial data, or cause the web applications’ failure. The Customer didn’t have security testing engineers able to perform this task in their in-house team, so they were looking for an expert penetration testing vendor.
Within the 7-day period, ScienceSoft’s experts performed security testing according to the OWASP Web Security Testing Guide. They followed the black box testing method (having strictly limited knowledge of the testing targets) to simulate real-world external attacks on the Customer’s web applications. The testing team combined automated vulnerability scanning with manual analysis of scanning results to reveal potential entry points for cyberattacks and used manual testing to exploit the uncovered vulnerabilities.
Detecting and exploiting vulnerabilities
ScienceSoft’s team checked the Customer’s applications against the most critical web app security risks according to the OWASP TOP 10 checklist: injections, broken authentication, broken access control, sensitive data exposure, XXE, XXS, security misconfigurations, insecure deserialization, using unpatched or outdated libraries and frameworks with known vulnerabilities, insufficient logging and monitoring of user activity.
The pentesters reported all found vulnerabilities classifying them by their severity and likelihood of exploitation. Among the critical issues were API vulnerabilities related to security misconfigurations that could potentially enable brute-force and man-in-the-middle attacks.
Upon exploiting the found vulnerabilities, ScienceSoft’s security experts offered corrective measures for all detected security gaps: implementing brute-force protection, disabling cross-origin resource sharing (CORS) or configuring a list of trusted domains that would have access to APIs, replacing outdated TLS protocols with up-to-date versions , and more.
Retesting fixed vulnerabilities
Two weeks later, when the Customer’s IT team fixed the detected security gaps, ScienceSoft’s experts retested the web applications and confirmed their increased security level.
ScienceSoft’s security team delivered the final report on the penetration testing process, its findings and retesting results. They also recommended gray box penetration testing to study potential security flaws at a deeper level and social engineering testing through email phishing simulation to check if the Customer’s employees could withstand email-related security attacks.
The Customer got a clear view of the vulnerabilities in their web applications and a detailed remediation plan for them, which helped increase the overall level of the web applications’ security. The Customer also got practical advice on further testing activities to check resilience to other types of hacking, including human-based attacks.
Technologies and Tools
Metasploit, Nessus, Burp Suite, Acunetix, Nmap, sslscan, dirb, custom scripts for the exploitation of vulnerabilities (written in Python, C, Perl)