Get a complimentary pre-penetration test today. Check if you qualify in minutes!
Introduction to

Client Background

Logistics UK is among the top trade associations in the UK. The company was formerly known as the Freight Transport Association (FTA). It is primarily involved in the business of moving goods by road, rail, sea, and air. Logistics UK is based in Tunbridge Wells and intends to represent the views and interests of over 18,000 companies from the transport industry.

Before they met us

  • Logistics UK handles, controls, and records all its day-to-day activities through an application that they get specifically designed for them.
  • They were having several issues and facing security problems frequently.
  • The client was struggling to figure out the problems, let alone the solution.

How we tackled the Situation?

  • The RSK Security Team planned a complete vulnerability scan to gather security weaknesses on the Client’s web application.
  • A comprehensive VAPT Assessment helped us gather all the required information to solve their issues.
  • We exploited all the found weaknesses with an attacker’s approach. It helped us in devising a plan to fix security issues to protect sensitive data.
  • Our security testers held up an in-depth evaluation of the current security status and eventually came up with appropriate recommendations to level it up.

Processes/Strategies Used By our Team

  • VAPT of the web application to determine its security resilience and uncover all vulnerabilities.
  • OWASP Security testing, NIST, PTES, OSSTMM security guidelines, and other security testing standards were leveraged during the assessment.
  • Threat modeling and determining the impacts of vulnerabilities identified.
  • Preparing Security Audit Report (SAR) for the client to help them in implementing solutions.

Tech Stack

Front End – HTML, CSS, and JavaScript are used to design and develop the outer framework of the web application.

Backend – Dot Net Framework and Azure Devops are responsible for handling day-to-day backend activities hosted by the said application.

Database – MySQL servers and database holds the responsibility of storing and transitioning all the data associated with Logistic UK’s web application.

Tools Used

  • Professional scanners such as Nessus Professional and Burp Suite.
  • nMap for scanning the network vulnerabilities.
  • Wireshark for testing incoming and outgoing data for security threats.
  • BeEF to gauge the impact of external attacks on the web app coming through browser exploitations.
  • SQL Ninja to find out and eliminate database vulnerabilities.

Findings of the Assessment

Through our credentialed patch audit, we found several vulnerabilities seriously impacting the web application’s security. The Vulnerabilities are classified and listed below

Critical Vulnerabilities

  • Session Mismanagement

Impacts:

  • Fraud against the organization can be orchestrated by exploiting the session mismanagement vulnerability present in its web applications.
  • Information Theft is also a serious risk that might cause severe losses and Business Interruptions.

High-Risk Vulnerabilities

  • CSV Injection
  • Failure to Restrict URL Access
  • Full Path Disclosure
  • Deprecated TLS used with a weak Cipher

Impacts:

  • Can be exploited to hijack the system and for exfiltrating contents from the spreadsheet.
  • Potential sensitive information leakage is always a risk with such high-risk vulnerabilities.

Medium-Risk Vulnerabilities

  • Session Token in URL
  • Strict Transport Security Not Enforced
  • Flash Cross-domain Policy Enabled
  • No Rate Limiting

Impacts:

  • The impact can range from something like DoS up to enabling authentication attacks.
  • These vulnerabilities also hold the potential for disrupting the normal workings of the API.

Low-Risk Vulnerabilities

  • No Session Timeout
  • Sensitive Information in URL (CSRF Token)
  • Access-Control-Allow-Origin: Misconfiguration

Impacts:

  • For requests without credentials, the literal value “*” can be specified as a wildcard.
  • Lack of session timeout can enable an attacker to steal and use an existing user session.

Our Recommendations

  • All the steps we recommended to the client were based on available findings from the credentialed patch audit.
  • Vulnerability scanning is only one tool to assess an application’s security posture. There are several others that Logistics UK can use to assure a definitive measurement.
  • Complete and comprehensive policy review to fortify internal security controls and procedures, or internal red teaming/penetration testing.
  • Our recommendations also included an appropriate action plan to close the security gaps and meet all the compliance requirements and regulations.

Results

  • The tested application was not secured in a manner aligned with good practice. We assisted in simplifying internal and external security practices to fix it.
  • The client got a complete audit report highlighting all their lapses in security and loopholes within their current policies. We delivered the report and remediation steps within the set deadline.
  • We devised a specific policy for the documentation of handling errors to the client. It would help them to reduce the human element responsible for security threats in the future.
  • Logistics UK was eventually able to fortify its security posture after deploying the mitigation steps suggested by our VAPT services team.

Get Secured Today

Request an audit

Locate Us

Headquarter Anerley Court, Half Moon Lane, Hidenborough, Kent, TN11 9HU,
UK.
Contact: +44(0) 1732 833111
UAE Concord Tower, 6th Floor, Dubai Media City, 126732
Dubai, UAE.
Contact: +971 (0) 4 454 9844
USA 580 Fifth Avenue, Suite 820
New York, NY 10036
USA.
India Plot No.14, 5th Floor, Sector-18, Gurugram -122015 Haryana,
India.
Contact: +91(0) 124 4201376
+44 789 707 2660

Choose Expert guidance to patch vulnerabilities.

Let's talk security today.

How can we help ?
How can we help ?

Choose hacker style methodologies over fear.

Let's talk security today.

How can we help ?
How can we help ?

We'd Love to Hear From You