Discover What Makes Us the Best
Check out our case studies to find out the change we can bring to your organisation.
Clients are not named for security reasons
They have built a user-friendly tool which is well designed to create a survey on the fly for mobile and web with necessary logics & validations. It is a seamless data collection tool. This helps to push your surveys to field enumerators for offline data collection or send out surveys by email with unique tracking code.
The tool handles PII data collection. This is a location tracking system which has all the critical data stored in applications. So, any cyber-attack can lead to data exfiltration which will impact company’s reputation and economic loss.
Security assessment of Mobile application helps to identify critical vulnerabilities; it has insecure authentication & authorization, insufficient cryptography, SQL injection, insecure storage with which any attacker can get access to all critical data which could be sellable at dark web. We performed VAPT so that this type of vulnerabilities can be avoided.
We also bypassed OTP and were able to login to the application to get all the relevant information. We also carried out web application VAPT based on OWASP Top10, SANS 25 and found cross site scripting which is a web security vulnerability that allows an attacker to compromise the user, malicious file upload with which we upload malicious file to application for data exfiltration, lateral entry.
Apart from accessing the vulnerabilities, we also participated in recommendation and handholding the developers to mitigate the vulnerabilities, post which we had done another set of VAPT to make sure all the vulnerabilities identified previously have been mitigated.
As per our suggestions provided, the identified vulnerabilities were mitigated and currently the applications are secure and there is no threat for data loss.
A US based Orth biologics company dedicated to improving patient quality of life by using the science of human biology to advance solutions for spine, orthopaedics, and sports medicine.
We found the issue in web application with regards to Email hacking which have Insecure Forget/Reset Password Module. An attacker over the internet uses the reset password link and enters an unregistered email id. He receives the link in his email. Then changes the email address value to registered email id and submits the URL. He is shown the registered email address in the ‘Username’ field. Furthermore, he can change the password of another application user and compromise his account.
Also in the application we found malicious file upload, cross site scripting, XML injection, Insecure Direct Object Reference (IDOR) , open redirection and vulnerable version of components with which malicious users can do data exfiltration.
Public IP scan and enumeration were performed and multiple observations were found out.
We have also shared recommendations in addition to sharing the observations. Client fixed all the observations and till now no hacking has been detected. One of the biggest issues that corporation and business face today is discovering if the money that is being spent on security technologies is also being used wisely. Post the exercise, the organizations will have a much better idea if they are getting a positive ROI on their current security technology investment
One of the leading research and advisory firms operating in the CSR & Development Sector in the South Asian region, working with Corporates, NGOs, Government collecting data in Mobile application.
Have carried out VAPT of mobile application and found multiple critical observations
- SSL Pinned bypass which is no certificate checking and attacker can easily intercept the communication traffic for application
- Insecure Permission
- Read/Write external Storage allows an application to read/write from external storage.
- Insecure Data Storage, Untrusted user input in raw SQL queries which cause sql injection
- Insufficient Cryptography – This vulnerability will result in the unauthorized retrieval of sensitive information from the mobile device
- Clear Text Credential – The user’s credentials are being transmitted in clear text which may be used by malicious users and can be used to perform malicious activities.
- Brute Force Attack – This leads to compromise of user credentials with dictionary attack.
We identified attack surface of the organization and found the web application was also exposed to outside world and VAPT was performed based on OWASP Top10, SANS 25.
Below are the major observations found:
Credentials are getting transmitted in URL. By this any user’s credential would be compromised. The user’s credentials are being transmitted in clear text which may be used by malicious users and can be used to perform malicious activities.
It was observed that the application is allowing all types of file contents in the upload section which leads to exploit malicious activities.
Host Header Injection – It was observed that host of application is not properly validated and malicious user can insert a malicious web URL in place of original URL. And user would be redirected to malicious application.
Vulnerable version of components – Any attacker can target these vulnerabilities.
A student education financing platform for private study loans for learners pursuing education from partner institutions with customized loan products through a fully digital loan process. They are collecting data of both PII and financial information which is very critical.
We carried out VAPT of application and API and critical observations were found which is a major threat to an organization and can impact both financial and reputation loss.
As per our process, first we started with Reconnaissance and Scanning. Then Enumeration and Exploitations. Post enumeration we have done Vulnerability Research.
- We bypassed authentication and logged in to application which is critical with which any malicious user can access data in the application
- No input validation found – A malicious user can insert malicious script which could lead XSS or other malicious activities
- We also identified sql injection with which we get complete db detais
- It was observed that the application is allowing all types of file contents in the upload section which leads to exploit malicious activities.
We conducted API security scanning based on OWASP API security assessment. Critical observation and high impact of data was identified.
Access token disclosure: — An attacker can successfully use any API module only with access token
Access token Expiration: — Access token is not expired hence any malicious user can get and easily access API applications.
Unencrypted clear text communication: — All Request and response communication are transmitted in unencrypted form which can be sniffed by attacker
Rate Limiting: — It was observed that there is no rate limiting implemented for the multiple API requests.
OTP Bypass (Random OTP): — A Malicious user can use random OTP and can retrieve information related to accounts in UAT.
IDOR (Insecure Direct object Reference):– The URL is modified at the client’s end by tweaking the parameters in the HTTP request. HTTP verbs GET and POST are typically vulnerable to a URL tampering IDOR attack.
A US client is involved in various Healthcare related activities and there is no Cyber Security framework, Policy, Process defined.
Cyber security threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. It can drive up costs and affect revenue. Without policy, control, framework it is not possible to maintain proper cyber security posture for an organization.
We have developed Framework which includes
- Establishment of Cyber security Framework based on NIST.
- Analysis of control points required to establish Framework as per Organization’s structure
- Gap analysis and Risk Assessment of present tier to target tier.
- Framework mapping and alignment with HIPAA.
- Preparation of Risk Register and Risk Treatment Plan
- Consulting for Data classification and Data Privacy
Preparation of Mandatory Policies, Process, Guidelines