Vulnerability AssessmentWhy you should care about security?
This was the case with one of our clients who had a website which was involved in a partnership with a credit bureau used to analyze and compare credit scores. Due to the incredibly sensitive information involved, the client wanted to ensure their website was hack-free and remove any existing vulnerabilities.
The client required a complete evaluation of their system, including network and other core components. It was required to undergo detailed penetration and regression testing to explore the loopholes in the infrastructure and application.
- VeraCode Scan
- OWASP Zap
- Apache Httpd server
Based on the client requirements, we began to evaluate the website for incoming and outgoing traffic, source code, and database along with the DNS server and firewalls. Our analysis was based on some of the commonly occurring hacking techniques such as backdoor, phishing, SEO Spam, malware, misconfiguration, vulnerable code, vulnerable plugin/ extension, Brute Force attacks, Defacement, etc.
We manually went through all of the source code, identified all the injected code on the web application, and completely removed them.
We also replaced the existing firewall with Citrix Netscalar AppFirewall. This firewall has built-in features to provide protection against application layers and zero-day threats. On the web server, Apache HTTPD server, we disabled commands like ping, telnet, ftp, etc. This also had web-links firewall disabled to ensure the monitoring of incoming and outgoing traffic. The Httpd server was checked and hardening of the server was incorporated for issues like –
- Unmasked NPI data
- Weak SSL/TLS configuration
- Hidden Directory Detection and directory listing enabled
Once the web layer was fixed, we started evaluating the application layer for vulnerabilities. We carried out a complete static code scan to evaluate the vulnerabilities such as –
- Unrestricted file upload
- HttpOnly Cookie Attribute not set
- Weak Password policy
- Cross Site scripting vulnerabilities – XSS
- CRLF Injection
- SQL Injection
- Unencrypted Login sessions
- Email Spoofing
- Invalid Html content
All of this was evaluated against OWASP Top 10 and other common vulnerabilities. Based on the results, a detailed report along with solutions, were provided to the client. Additionally, once these vulnerabilities were fixed at the client end, we used tools like OWASP ZAP, W3af, Vega, Quttera, and Detectify to scan and evaluate further vulnerabilities.
We provided monitoring to the website using OnWebChange to find any suspicious activity being initiated on the website; this also provided alert options such as email, pushover, or http callback.
Once the vulnerabilities were identified and fixed, we also carried a manual pen-test to evaluate the website from a security standpoint. We again shared a detailed report with the client, and the recommended solutions to be implemented.
The key focus was on evaluating the vulnerabilities and tweaking the infrastructure in order to make it more secure. The client was extremely satisfied with the overall evaluation and solution implementation. Our qualified experts guided the client through fixing each and every issue, and in cases where the issue was difficult to fix, we provided them with alternative options. With our methodical approach, the client gained immense confidence in our services.