HR applications hold lots of sensitive information about employees, so security needs to be strong. For this reason, our client asked us to conduct a penetration test on its HR web applications as part of an annual security assessment. The brief – to check the application was free from common vulnerabilities and compliant with best security practices.
Our web application assessment tested the application under several user roles (unauthenticated, low-privileged, normal user and system administrator) within a staging environment. As a result, we were able to confirm that the majority of important issues reported in earlier tests had been successfully resolved. However, continuous changes in the application had introduced some new or repeated security pitfalls, which needed to be fixed.
The most important issue we identified was one that allowed unauthorised access to information and escalation of privileges, which would let users access information and functionality outside their normal user permissions. We also found that the application returned clear text passwords to the user on failed login attempts. An attacker could take advantage of this to retrieve valid credentials for a specific user.
We identified a couple of issues related to session management: the application did not assign a new session ID to the user following authentication and it transmitted session ID in the URL. Both these issues made the application vulnerable to session-fixation attacks. Finally, we found that the application did not provide any brute-force protection on the login pages which is necessary to stop attackers cracking passwords.
Our work gave our client a detailed understanding of the gaps in the application’s security. We provided a final report with full details of each issue along with proof of concept, and made precise recommendations for fixing each high-, medium- and low-risk issue identified during the test.
If you need help securing your data, speak to one of our penetration testing experts or read more about our cyber security capabilities.