Overview
According to the CoreSecurity Penetration Testing Report, 69% of companies perform penetration tests to assess their security posture and 70% to support their vulnerability management programs. Penetration testing is essential because it executes a simulated attack to exploit system vulnerabilities that could have gone unnoticed otherwise. These vulnerabilities act as the weak spot, and they can give the attacker access to the entire system.
One of our clients offers a regulatory reporting platform product that allows leading organizations and companies to prepare and submit regulatory reports to the authorities. The platform automates the process of collecting, validating, and submitting the data to ensure compliance. Security issues are a critical concern and can adversely impact a company’s reputation if not managed effectively.
The client penetration testing on the regulatory reporting product revealed some security vulnerabilities that were concerning because they could impact the workflow and put the organizations’ data at risk of a security breach. Hence, to bridge all the gaps in the platform, our Client contacted DivIniSoft and gave the responsibility of analyzing, addressing, and remediating the identified vulnerabilities.
Challenges
The entire user experience depends upon the functionality of the mobile app, and mobile app testing plays an important role in confirming that. Testing cannot be compromised, as users expect seamless performance, especially in payment-related workflows. Any delay, failure, or inconsistency can directly impact user trust. As per a recent study, 70% of users abandon apps that take too long to load.
The mobile application our client built was for schools and the primary intent is to have an app for parents to view the student’s marks, fees, to make payments for school fees, and related activities. Regression testing was required because the mobile application underwent frequent updates while adding new features. Every new feature, configuration change, or bug fix had the potential to unintentionally affect existing workflows such as login, viewing the marks, checking the fees, payment processing, transaction confirmation, and error handling.
However, manual regression testing proved to be time and resource intensive. The manual app testing caused:
- Lengthy regression cycles
- Slower release timelines
- Had limited device coverage
- Increased risk of human error
- Reduced the ability to scale testing efforts
The solution to overcome all the problems was to automate mobile app testing completely. But, another problem was which automation tool/platform/framework should be used to automate mobile app testing?
Our Approach
The regulatory reporting platform product was developed in .NET, and once we understood the requirements and challenges, we were able to quickly onboard experienced and highly skilled Senior .NET engineers. We built a team of three Senior Engineers as part of our professional staffing services. We included the Client Development Team in the interview process and they were quite happy with the candidates and our engineers to handle the project. Once the client was satisfied with the engineers working on their product, we initiated the project with a structured plan to address the identified security issues.
As part of our plan, the team reviewed the security findings provided by the client, understood the issues, and tried to reproduce the findings in the Dev environment. Based on our understanding, we prepared a list of issues that hindered the product from performing at its best levels.
Our Solution
Here’s the list of vulnerabilities that were in the regulatory reporting product:
SQL Injection
SQL Injection is a commonly used vector in which attackers insert malicious code into the input fields and gain unauthorized access to valuable records. This vulnerability was identified in the product where unsanitized user inputs could be manipulated to execute malicious SQL queries.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery, or CSRF, is a type of attack in which unauthenticated users are forced to perform unwanted actions by using social engineering tricks, like sending a link through email or text. With this attack, the user acts on the attacker’s wish. If the victim is a normal user with basic access control, then the attackers can force the user to execute state-changing requests, like transferring funds. If the victim has administrative access, a successful CSRF attack can jeopardize the entire application.
Cross-Site Scripting
Cross-site scripting attacks are a type of injection in which malicious scripts are injected into trusted websites. The attackers use a web application to send malicious code in the form of a browser-side script to an unsuspecting user. This way, the end user’s browser executes the malicious script, considering it is coming from a trusted source, and the malicious script can access the cookies, session tokens, and other sensitive information.
Broken Access Control
The regulatory reporting product had broken the access control system, which is established to control access or authority over information or functionality. The broken access control allows attackers to bypass authorization and give the highest level of access or authority, like the administrators. For instance, a user can change the account they are logged in simply by changing the URL without getting verified.
Unrestricted File Upload
In the regulatory reporting product, the file uploading option plays a crucial role in submitting and managing data related to compliance, reporting, and analysis purposes. However, currently, the platform’s file upload functionality doesn’t enforce adequate validation or restrictions, permitting potentially malicious files to be uploaded. This can lead to server compromise or unauthorized code execution, affecting the workflow. This functionality also lacked an anti-virus check, meaning the platform didn’t scan the uploaded files for malicious content. It increases the risk of malware being introduced into the system.
Missing Rate Limit in Some of the Flows
In some of the application workflows, the rate-limiting mechanisms were missing. Rate limiting is a strategy that caps how often a user can perform a particular action. Since this mechanism was missing, it exposed the platform to brute force attacks, DoS and DDoS attacks, web scraping, or automated attacks, like credential stuffing or enumeration attacks.
User Enumeration and Email Flooding in Forgot Password Flow
The Forget Password functionality had two issues. First, it allowed user enumeration, and the platform displayed that the entered username was valid. Now, if attackers know that the username is correct, they can compromise the associated accounts through credential stuffing or guessing. Also, attackers can sell the list of collected valid usernames to a third party or use it for social engineering attacks.
Email Flooding in OTP flow
The second issue was email flooding, as there was no limit on the number of OTP email requests that could be sent. This can flood the user’s email with unnecessary requests. Also, the attacker can use this as an opportunity to execute the DDoS attack by automating the OTP process.
Cookies Misconfiguration
Web cookies can become a key attack vector for malicious users, and applications should protect them. Cookies are used for different reasons, like session management, personalization, and tracking, and there are security attributes developed to lock down the cookies and limit their attacking surface. However, in the regulatory reporting platform, the cookies were improperly configured which increased the risk of session hijacking, data theft, or cross-site request forgery.
Sessions Don’t Expire After Logout
A significant issue with the platform that came up in the penetration testing was that the sessions remained active even after the user logged out. This is a security vulnerability as it allows the attacker to access the account data if the malicious actor has obtained the session token. This can lead to attacks like identity theft or fraud.
Information Disclosure in Server Header
A server header mentions details about the server application that handles the request. It can reveal sensitive information, like software versions and technologies in use, which can expose the servers to attackers. Using this information, attackers can easily find vulnerabilities and exploit the system.
Strict Transport Security Not Enforced
This HTTP Strict-Transport-Security response header informs the browser that the application can be accessed only using HTTPS. If it is accessed using HTTP, it should be automatically converted to HTTPS. However, the application doesn’t enforce HTTPS Strict Transport Security (HSTS), which makes it vulnerable to man-in-the-middle attacks by allowing connections over non-secure HTTP.
Vulnerable Versions of Dependent Libraries Being Used
Upon thorough checking, it was identified that the application was using outdated versions of third-party libraries and dependencies, making it vulnerable to potential attacks. These libraries may have publicly exposed vulnerabilities that attackers can exploit to compromise the system. This increases the risk of attacks, such as remote code execution, unauthorized access, and data breaches.
Our Solution
We believe that the product’s performance is directly proportional to the user experience, and the better the performance, the better the user experience. To improve the application’s functionality and security, our team of senior engineers understood the vulnerabilities and pinpointed the root cause of the application’s vulnerability to potential attacks.
For instance, SQL injection occurs due to the lack of proper input validation and parameterized queries in the backend code. CSRF could happen because the application fails to distinguish between valid and forged requests. It is also due to the absence of anti-CSRF tokens in sensitive form submission or API requests and the failure to restrict cross-origin requests via proper SameSite cookie configuration.
So, our team worked on revamping the application’s structure and bridged the issues by implementing the OWASP guidelines and best practices, like:
- Implementing secured authentication mechanisms
- Improving file upload security
- Introducing rate limitation and abuse prevention
- Implemented input and output encoding
- Embedded CSRF tokens across all sensitive transactions
- Updated the libraries and dependencies to their latest versions
- Concealed sensitive information in server headers and enforced HSTS protocol
- Deployed advanced monitoring tools to detect unusual activity patterns
Within two months, our team resolved all the security issues identified in the penetration testing results. Then, the team pushed the fixes to the UAT environment, and we worked with a third-party penetration testing vendor to test the application, validate the fixes, and ensure that all the issues were resolved.
Tech Stack
Appium, JavaScript, BrowserStack, Azure DevOps
Conclusion
The third-party pentest vendor confirmed that all security issues were fixed, and the client was able to deliver their regulatory reporting product as per the decided timeline. Impressed by our team’s agility and efficiency, the client moved this team to one of their core development areas for a multi-year agreement.