Unfortunately it's back to school for this mobile and web application
A Higher Education institution offering undergraduate and postgraduate university degrees approached us last year about their concerns regarding the security of their SaaS platform. They had designed a portal to be used as a subscription-based model, for institutions worldwide to offer education courses globally. This platform was also meant to be sold to its channel partners in the future. With the high amount of money at stake, they were concerned about the core security of this entire product.
How we resolved it
We performed thorough testing of their entire platform
We explained to them the entire security testing process and what would best suit their current need. They selected grey box testing which means we initiated the testing from a black-box perspective where our knowledge is only limited to their URL.
Using this information the external network was assessed to identify excessive services visible which not only increases the attack surface area but also provides an impression of weak, or missing internal security processes. Several unnecessary services were left in their default state, many of which were using outdated and vulnerable software.
For the application, self-registration was used to create multiple test accounts. No ownership of the account was verified and no acknowledgment was sent to the rightful owner of the email accounts. This could easily lead to mass email registration to create bogus user accounts with the site.
From the low privilege user perspective, several high-risk issues were identified, most notably SQL injection which resulted in the complete compromise of the backend. The registered users and their password hashes were obtained. These were subjected to password cracking, and admin or high privilege level access achieved very quickly.
Insecure direct object references further added to the problem as it was possible to download sensitive documents, previously uploaded by other users within the application.
The data stored at the backend was also not sanitised at the server end, allowing for a trivial script injection attack. The lack of secure coding practices/training for the developers responsible for building the entire SaaS platform was clear to see
Benefits for the customer:
Upon submission of our final report and debrief with the client, the steps taken were:
1. Minimise the expose of unnecessary services to the internet
2. Update the servers with the latest patches and software versions
3. Follow industry best guideline and practices such as CIS benchmark
4. Provide training to the developers for writing secure software from that point onwards
5. Review the architecture of the app to ensure no privilege escalation was possible
6. Store password hashes securely
To exploit SQLi
person responsible for dev.
Pages of vulnerabilities and remediations
“No real secure development process was in place, the huge application had been built, but never tested at all during the build. The end test was long, expensive and alarming in what we uncovered”