Key Challenges
Our client offers a web application whose purpose is to help taxpayers and intermediaries comply with their DAC6 (Luxembourgian tax law) reporting obligations.
Having developed new functionalities, the client asked us to perform a web application penetration test to identify any vulnerability or security flaw in the application before releasing them into production.
Our Approach
The web application penetration testing was conducted entirely manually with a grey box approach. We were given three types of accounts with different permissions (administrator, manager, and user). The objective was to identify any kind of vulnerability with those accounts.
Our experts followed the OWASP Top 10 as it identifies the most critical web application security weaknesses, and therefore provides guidelines on what to test and how it should be tested.
We followed the standard penetration testing methodology split in 5 phases as cited below:
1. Reconnaissance
The domain name was provided by the client.
- IP addresses
- Domain name
- Technologies
- Versions
2. Mapping
We made an inventory of the actions that can be done on the application with the different accounts given by the client.
- Functionalities
- Services
- Relation between components
3. Discovery
- Vulnerabilities
- Security misconfigurations
- Security flaws
4. Exploitation
- Of the vulnerabilities
- Misconfigurations
5. Post exploitation
- Information
- Password
- Confidential data
- Removing traces
Over the duration of the penetration testing we maintained a communication in real time between us and the client to make sure that the vulnerabilities we identified were effectively impacting the application. Also, in the event of a critical vulnerability being discovered, the client would have been alerted instantly to perform an almost instant remediation.
Benefits
Our penetration testers worked on the web application for 8 days and were able to quickly identify multiple security flaws, some of them listed in the OWASP Top 10. Two main vulnerability types were identified:
- Broken Access Control
Broken Access Control happens when a user is able to access some resource or perform some action that he/she is not supposed to be able to access.
- Security Misconfigurations
Security misconfigurations are defined by security settings not being properly set during the configuration process or deployment (use of default passwords, deprecated protocols and encryption, error messages revealing sensitive information, etc.).
The flaws were documented in a technical report containing general and specific recommendations on corrective actions on all the vulnerabilities that they discovered. Recommendations included: adding controls in the application backend to limit actions to authorized users according to business requirements and optimizing security headers to ensure that best practices were followed.
A restitution call was organized during which the penetration tester presented the conclusions of the report to the client. He answered his questions to guide him in the mitigation of the discovered vulnerabilities.
The client was made aware that its application had some security flaws that could quickly be patched thanks to the penetration test. Moreover, with general security recommendations, the client was able to improve even more the security of its platform. Our experts put a stamp of trust on the product and its new features which will consequently allow the client to add value to its application licenses when selling them in the future.