Table of Content:

This case study on Penetration Testing is about one of our clients who had an authentication engine. This provided authentication based on various inbuilt as well as third-party libraries, SOAP, and RESTFUL web services. Because of the seriousness of this engine and multiple APIs being used, we had to carry out module-based penetration testing.

Penetration testing helps to evaluate security flaws in systems, infrastructures, and applications which can open doorways to malicious users or hackers. Irrespective of business domain and requirement, every organization should secure its systems by doing regressive penetration testing.

Tools & Technology - PENETRATION TESTING

We used the following tools and technologies to complete the process:

  • Nessus
  • Maltego
  • Skipfish
  • BurpSuite
  • John the Ripper
  • Cain & Abel tool
  • Restful and SOAP web service
  • Kali Linux

Solution

Before starting the actual penetration testing, we identified the system core components and designed a test plan along with the number of test scenarios we could produce. This included network, infrastructural evaluation, and application-level penetration testing. We used multiple tools to complete the evaluation.

We used Nessus to test on Linux Machines; it is extremely useful in packet sniffing and injecting. Our network engineers, along with security experts, worked together to incorporate this testing. For testing web-based applications and SOAP web services, we used Maltego, Skipfish, and BurpSuite. This sophisticated testing suite allows intercepting proxy, changing web requests, crawling content, application scanning, etc. We mainly used these tests for application-level testing and to check how the application would respond if a malicious user intercepts an HTTP request.

We evaluated if each authentication mechanism in the authentication engine had at least two-factor authentication. This included features such as captcha, security questions, and/or Site key with strong and updated encryption algorithms like AES256, with used keys that change at regular intervals.

With hashing, we recommended using SHA256 instead of MD5, since MD5 can be exposed to vulnerabilities. For SSL, we ensured trusted certificate authorities signed certificates only. To test the password encryptions in Windows-based systems, we used the Cain & Abel tool. This tool allows the cracking of encrypted passwords using various techniques, such as network sniffing, brute force, dictionary, cryptanalysis, routing protocol analysis, cache uncovering, etc. For Linux-based systems, we used John the Ripper.

Our penetration testing comprised a detailed report of infrastructural and application-level changes, categorizing critical, high, medium, and low-level risks. Some issues found were:

  • Insecure HTTP methods enabled
  • Password changes did not require the current password
  • Weak password policy
  • Weak TLS configuration
  • Secure Cookie Attribute not set

Result

Based on our comprehensive testing, the client made the required changes to their infrastructure and applications. We guided them throughout the process to implement these solutions and ensured there was no impact on existing functionalities.

Our security experts exposed various scenarios and completed a detailed penetration testing of each module and functionality. We helped the client undergo re-penetration testing to ensure their systems were secure, and the tests were passed successfully.

Conclusion

Any business, no matter how large or small, should undertake penetration testing if the business deals with sensitive or valuable customer information. Recent statistics have shown that smaller companies are increasingly becoming targets for cybercriminals simply because their IT security is weaker.

Building and maintaining cybersecurity is not a one-time thing but a continuous process. It should ceaselessly observe frameworks through surveillance technologies to discover any security loopholes. Continuous risk and vulnerability assessments should consistently update risk assessments and incident response plans. IT infrastructure and related software or applications should be updated and upgraded regularly as updated versions frequently address the weaknesses present in the existing applications. Check more case studies to know more.

 

RELATED POST
...
CRYPTOJACKING 101: EVERYTHING…

Cryptojacking refers to the unauthorized use of a person’s or group’s processin…

...
TECHFORING UNRAVELS THE BIGGE…

Cryptocurrency might have opened new doors to become rich quickly but there is …

...
DATA THEFT & ONLINE SCAM- COM…

Our victim here is MR, who had checked his emails one night before going to bed…

...
CASE STUDY ON PENETRATION TES…

This case study on Penetration Testing is about one of our clients who had an a…

Get Updates

Sign up to receive the latest news