Our client, an IT services provider, was preparing to use a security monitoring application to monitor the business’s resources against network and security issues. Before the company made the application and its associated Application Programming Interface (API) live, it wanted to be sure the application was free from common vulnerabilities and compliant with security best practices.
We conducted tests on the application from both an authenticated and unauthenticated user’s point of view and found the application fell short of security best practices. The major threat to the application was that the Apache web server software was running with root privileges. As a result, we were able to retrieve sensitive configuration and system files. We also found that the application was using an outdated version of the CKEditor plug-in, which is vulnerable to Remote Code Execution.
There were other issues too. We found that access controls were weak and allowed low-level users to escalate their privileges and perform functions on behalf of administrators. We also discovered that the application reused passwords, which made it possible for us to retrieve the passwords for some users and services. We were also able to extract password hashes from the database, abusing the API calls, and this revealed that the application stored credentials as simple (and vulnerable) MD5 hashes. There were further issues related to input validation, cookie management and sensitive information disclosure, all of which represented critical vulnerabilities an attacker could exploit.
We kept our client informed about vulnerabilities found during the actual assessment, allowing the technical team to ensure that business-critical systems could be properly safeguarded. We provided full details on other high-, medium- and low-risk issues along with platform-specific recommendations for fixing them. Our work gave our client a clear understanding of how to patch all the issues before making the application live.
If your business requires a vulnerability assessment, speak to one of our penetration testers today or read more about our technical security and penetration testing capabilities.
If you would like to develop your own knowledge and skills in the latest growing information security testing techniques, then find out about our range of expert-led cyber security training courses.