The Case

The case we’re discussing here was with a client of ours. Their website was involved in a partnership with a credit bureau that was used to analyze and compare credit scores. Due to the amount of sensitive information involved, the client wished to ensure complete safety and protection from vulnerabilities and possible attacks.

The Challenge

Our client required a complete evaluation of their system, network, and all related core components. The whole system was required to undergo detailed penetration and regression testing to detect and fix all the loopholes present in the infrastructure and application.

Tools We Used For The Study

To complete this process, we used the following tools:

• Apache HTTP Server
• Detectify
• Netscaler
• OnWebChange
• OWASP Zap
• Quttera
• Vega
• VeraCode Scan
• W3af

How We Solved The Situation

As per the requirement of the client, we started by evaluating the following elements of the website:

• Database
• DNS Server
• Firewalls
• Incoming Traffic
• Outgoing Traffic
• Source Code

We based our analysis on the most common techniques used by hackers, which are:

• Backdoor exploitation
• Brute Force Attacks
• Defacement
• Malware
• Misconfiguration
• Phishing
• SEO Spam
• Vulnerable Code
• Vulnerable Extensions/ Plugins

During the analysis, we found several instances of injected codes that were manipulating the source code of the web application according to the intent of the malicious entity and completely managed to remove them.

Once completed, we proceeded to replace the existing firewall with Citrix Netscaler AppFirewall, since the firewall contains protection layers that protect any application from zero-day threats.

On the Apache HTTPS Server, we disabled several commands such as “ping, “telnet”, “FTP”, etc. The server had a web-links firewall disabled to ensure the monitoring of incoming and outgoing traffic.

The HTTPS Server was then checked and hardened for the following issues:

• Clickjacking
• Directory Listing Enabling
• Hidden Directory Detection
• Unmasked NPI data
• Weak SSL/TLS configuration

After applying fixes to the web layer, we started evaluating the application layers. Our evaluation methods for vulnerability assessment of the application layer determined the following issues:

• Client-Side JavaScript Cookie Reference
• Cross-Site Scripting Vulnerabilities-XSS
• CRLF Injection
• Email Spoofing
• HTTP-Only Cookie Attribute Not Set
• Invalid HTML Content
• SQL Injection
• Unencrypted Login Sessions
• Unrestricted File Upload
• Weak Password Policy

The complete evaluation was performed against the OWASP (Open Web Application Security Project) Top 10 common vulnerabilities.

We created a report that contained the test results, along with all the possible solutions, and provided the report to the client.

After fixing all the vulnerabilities and loopholes that were found, we used OWASP Zap, W3af, Vega, Quttera, and Detectify to scan and evaluate further.

Later On, we started monitoring the website using OnWebChange for suspicious activities on the website. The software also provides alert options for emails, pushovers, or an HTTP callback.

After all the vulnerabilities were found and fixed, we ran another manual pen test as a finishing touch. The goal of the test was to evaluate the entire website from a security standpoint.

Once completed, we found a few more minor issues that we noted down in a second report along with other details, which we handed over to the client for the remedies to be applied immediately.

Conclusion

The client was highly satisfied with the efficiency of our vulnerability assessment services. Once the process was completed, the client's website was finally up to all the security standards, and safe from all sorts of potential threats and third-party cyberattacks

TechForing Cybersecurity Vulnerability Assessment Service

Techforing provides a white-glove cybersecurity service that includes Cybersecurity Vulnerability Assessment and Penetration testing Services. It is applicable for both you and the digital assets or your organization. Just E-mail us or contact us. Also you can know more from our other case studies.