Telecom

Infrastructure Penetration Testing

Scope

A telecommunication company wanted to check their external network cybersecurity and 2x/24 subnets were penetrated. Black box penetration test was performed on the external network.

Finding

  1. Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability (cisco-sa-20180129-asa1)
  2. EOL/Obsolete Software: Apache HTTP Server 2.2.x
  3. SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
  4. Apache HTTP Server Prior to 2.4.25 Multiple Vulnerabilities
  5. Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability
  6. PHP Versions Prior to 5.2.12 Multiple Vulnerabilities
  7. SSL/TLS Server supports TLSv1.0
  8. HTTP TRACE / TRACK Methods Enabled

Time frame

  • 15 working days
  • 12 days network penetration
  • 3 days vulnerabilities & remediation
  • report preparation

Steps performed

  • Layer 2/3 attacks
  • Vlan hopping
  • Arp cache poisoning
  • Switch weaknesses
  • IP redirections
  • Session hijacking & replay
  • Network hash passing
  • DHCP/DNS weaknesses
  • Various OS weaknesses
  • Advanced attacks
  • Protocol fuzzing
  • Cryptographic weaknesses
  • Buffer overflow
  • Zero-day


Education

Web Application Penetration Testing

Scope

The purpose of the test was to discover security vulnerabilities, which could lead to intellectual and financial damage to the school and its clients. The test was performed in a Grey Box manner following OWASP methodology and simulated a malicious user with partial knowledge regarding the system functionality. We have tested the platform using three accounts with different accesses – student account, parent account and an admin one.

Conclusions

A successful penetration test was achieved, and High vulnerabilities were discovered on the web application for all three authentication levels, which have to be remediated immediately. User’s account has a Broken authentication mechanism, an attacker can view the functionalities of the admin account and view higher privilege user’s information. Admin account can be hijacked because of the excessive session timeout and it is possible to compromise user’s account by brute forcing the account because of missing account lockout policy.

Time frame

  • 10 working days
  • 7 days penetration of the WEB app
  • 3 days vulnerabilities & remediation
  • report preparation

Steps performed

  • Information gathering
  • Configuration and deployment management testing
  • Identity management testing
  • Authentication and authorization testing
  • Session management testing
  • Input validation testing
  • Error handling
  • Cryptography
  • Business logic testing
  • Client side testing


Finance & Banking

Mobile Application Penetration Testing

Scope

Digital bank mobile application with Android and iOS versions were penetrated. The test was performed in a GreyBox manner and simulated a malicious user with partial knowledge regarding the system functionality.

Conclusions

It was observed that there is no input validation in both Android and iOS versions. Attacks, based on this vulnerability, could be performed on the application. Although, no matter that it is not following proper input validation, due to MVC framework there is no successful exploitation. In iOS Application it was observed that the application is storing the transactions data in plain text format in local storage. It was also discovered that application snapshots are enabled.

Time frame

  • 13 working days
  • 5 days penetration of Android version
  • 5 days penetration of iOS version
  • 3 dayс vulnarebilities & remediation report preparation

Steps performed

  • Architecture, design and threat modelling
  • Data storage and privacy
  • Cryptography verification
  • Authentication and session management
  • Network communication
  • Environmental interaction
  • Code quality and build settings
  • Resiliency against reverse engineering