Learning has been transformed in recent years as universities develop online courses that open up learning to many more students and provide them with new ways to collaborate and interact. One of the big names in this field is Moodle, an open source e-learning platform used by institutions, businesses and almost 70 million users worldwide.
Our client, a major UK university, was about to launch an internal application, developed using Moodle, and wanted to be confident that the application, which had a range of user privileges, was hosting sensitive material in a secure manner and that data could not be stolen by attackers. Any security breach would have had a negative impact on the institution’s reputation.
Our penetration testing identified a number issues that our client needed to address to tighten security. These related primarily to security misconfiguration and input validation issues. We found that the application was not using any protection mechanism against cross-site-request forgery attacks, which can help an attacker to trick users into clicking on a malicious link. The application also suffered from a few input validation bugs, such as persistent and reflected cross-site scripting flaws. We also identified a few configuration and index files with sensitive information that were publicly accessible on the server.
We updated our client immediately on any high-level issues and helped to avert the security risk immediately. Our final report detailed all the issues we had identified and provided recommendations for resolving them. Remediating these issues allowed our client to make the application live confident in the knowledge that users were protected and the university’s reputation was secure.
Do you need to schedule an application security test to secure your data? Speak to one of our pen testers today or learn more about our penetration testing capabilities.
If you would like to develop your knowledge and skills in the latest growing penetration security techniques, then find out about our range of ethical hacking training courses.