Web Platform Pentesting and Data Breach Consulting for a Trading Services Provider
The Customer is a UK-based fintech company providing services worldwide. They offer sleek and easy-to-use mobile applications and web platforms to facilitate their clients’ financial trading experience.
The Customer puts much effort into ensuring their clients’ data security and maintaining compliance with the financial security standards. Despite the solid security measures they had in place, they suffered a data breach caused by an attack on their main web platform.
After notifying the regulatory authorities of the incident, the Customer was obliged to mitigate the breach consequences and investigate how the attacker had broken the security of their web platform.
They needed to conduct comprehensive security testing of the platform within 14 days from the breach to be able to report the results to the regulatory authorities in time.
Recognizing ScienceSoft’s expertise in cybersecurity, the Customer reached out to our team to investigate the possible causes of the data breach.
To thoroughly explore the web platform’s security and report on the results within the established deadline, ScienceSoft’s security experts decided on the gray box method: they were allowed authorization under one user role. The testers planned and performed penetration testing according to the OWASP Web Security Testing Guide methodology.
The testing showed that the security level of the web platform was high, as it didn’t contain any critical security gaps. However, ScienceSoft’s testers revealed several vulnerabilities of low severity and demonstrated how a skilled attacker could have exploited them to get hold of the Customer’s sensitive data. The discovered vulnerabilities included:
- Missing HTTP security headers that could protect the web application against clickjacking, cross-site scripting, and other common attacks.
- Insecure cross-origin resource sharing (CORS) configuration that could be exploited for cross-domain attacks.
- Password fields with the enabled “autocomplete” feature. With “autocomplete” enabled by default, an attacker could easily retrieve the Customer’s credentials in case they got access to one of the Customer’s devices.
- Using deprecated transportation security protocols. TLS 1.0 and TLS 1.1 have known vulnerabilities that a hacker could exploit to perform man-in-the-middle attacks and observe the traffic between the web platform and its visitors.
To ensure all-around protection of the web platform and prevent any future data breaches, ScienceSoft provided a detailed guide to the necessary corrective measures, such as:
- Using HTTP security headers, such as X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Strict-Transport-Security.
- Disabling “autocomplete” for passwords and implementing multi-factor authentication.
- Configuring CORS correctly: specifying the allowed origins (trusted sites only) in the Access-Control-Allow-Origin header.
- Disabling TLS 1.0 and 1.1 and using secure versions instead.
The pentesting project took 13 days from planning to delivering the final report. Additionally, ScienceSoft’s team helped the Customer communicate their breach investigation and mitigation efforts to the regulatory authorities.
The Customer got a clear picture of their web platform's security vulnerabilities and how they could be exploited to gain access to the sensitive data. The Customer also received actionable recommendations on protecting their web platform against future cyberattacks. With ScienceSoft’s help, the Customer proved their diligence in fulfilling the compliance requirements and mitigating the data breach, resulting in the regulatory authorities closing the case without further investigation or additional fines.
Technologies and Tools
Nessus, Qualys, Burp Suite, OWASP ZAP, cURL, testssl, DirB.