Web Application Penetration Testing for a US Recruitment Advertising Agency
The Customer is a US-based recruitment advertising company. Their recruitment optimization platform has already helped to bring together more than 100 million job seekers and over 10K job sites. The Customer’s client base comprises major players across various industries, such as financial services, healthcare, manufacturing, technology and telecom. Some of the Customer’s loyal clients include the likes of PNC Financial Services, Nestle, Citrix Systems and Hewlett-Packard.
Acting as an intermediary between job seekers and employers, the Customer operates a vast amount of clients’ data, such as names, addresses, phone numbers, user IDs and passwords. This sensitive data needs solid security protection from being stolen or tempered. Any data security breach may lead to client’s churn and loss of the company’s position on recruitment advertising market.
To maintain the reputation of a trustworthy recruiting industry veteran with a strong security posture, the Customer chose ScienceSoft to perform web application penetration testing by our certified ethical hacker.
Web application penetration testing was conducted according to the Black Box offender model, where our pentester had limited access to Customer’s application (a user account). ScienceSoft’s penetration testing methodology was based on OWASP TOP 10 threat classification. We screened for all the vulnerabilities from OWASP’s security risks check list, and payed special attention to those which are potentially severe for the Customer. These are Broken Authentication, Broken Access Control, Security Misconfiguration and the Use of Components with Known Vulnerabilities.
The one-week project was split up into three stages:
Pre-attack phase (Planning)
- Defining the intruder model (internal or external, enabled rights and privileges);
- Defining goals, source data, the scope of work and testing targets;
- Determining the scope of a target environment;
- Developing the testing methodology;
- Defining interaction and communication procedures.
Attack phase (Testing)
- Brute forcing of standard or default credentials.
- Manipulating input data (injections, overflows, protocol violations) to determine vulnerabilities and configuration errors.
- Utilizing compromised systems as a springboard for further intrusion.
Post-attack phase (Reporting)
- Performing result analysis and reporting;
- Providing a list of corrective measures to cover detected vulnerabilities.
The combination of automation for a detailed network scanning and manual techniques for vulnerability exploitation allowed ScienceSoft’s penetration tester to conduct a thorough check for security weaknesses in the Customer’s network. This was followed by a report which provided a comprehensive view on the system’s security state, specifying the security risks of primary importance for the Customer and relevant corrective measures.
Technologies and Tools
Metasploit, Wireshark, OpenVAS, Nessus, BurpSuite, W3af, custom scripts.