Client Background

Logistics UK is among the top trade associations in the UK. The company was formerly known as the Freight Transport Association (FTA). It is primarily involved in the business of moving goods by road, rail, sea, and air. Logistics UK is based in Tunbridge Wells and intends to represent the views and interests of over 18,000 companies from the transport industry.

How we tackled the Situation?

The RSK Security Team planned a complete vulnerability scan to gather security weaknesses on the Client’s web application.
A comprehensive VAPT Assessment helped us gather all the required information to solve their issues.
We exploited all the found weaknesses with an attacker’s approach. It helped us in devising a plan to fix security issues to protect sensitive data.
Our security testers held up an in-depth evaluation of the current security status and eventually came up with appropriate recommendations to level it up.

Processes/Strategies Used By our Team

VAPT of the web application to determine its security resilience and uncover all vulnerabilities.
OWASP Security testing, NIST, PTES, OSSTMM security guidelines, and other security testing standards were leveraged during the assessment.
Threat modeling and determining the impacts of vulnerabilities identified.
Preparing Security Audit Report (SAR) for the client to help them in implementing solutions.

Tech Stack

Front End – HTML, CSS, and JavaScript are used to design and develop the outer framework of the web application.

Backend – Dot Net Framework and Azure Devops are responsible for handling day-to-day backend activities hosted by the said application.

Database – MySQL servers and database holds the responsibility of storing and transitioning all the data associated with Logistic UK’s web application.

Tools Used

Professional scanners such as Nessus Professional and Burp Suite.
nMap for scanning the network vulnerabilities.
Wireshark for testing incoming and outgoing data for security threats.
BeEF to gauge the impact of external attacks on the web app coming through browser exploitations.
SQL Ninja to find out and eliminate database vulnerabilities.

Findings of the Assessment

Through our credentialed patch audit, we found several vulnerabilities seriously impacting the web application’s security. The Vulnerabilities are classified and listed below

Critical Vulnerabilities

Session Mismanagement

Impacts:

Fraud against the organization can be orchestrated by exploiting the session mismanagement vulnerability present in its web applications.
Information Theft is also a serious risk that might cause severe losses and Business Interruptions.

High-Risk Vulnerabilities

CSV Injection
Failure to Restrict URL Access
Full Path Disclosure
Deprecated TLS used with a weak Cipher

Impacts:

Can be exploited to hijack the system and for exfiltrating contents from the spreadsheet.
Potential sensitive information leakage is always a risk with such high-risk vulnerabilities.

Medium-Risk Vulnerabilities

Session Token in URL
Strict Transport Security Not Enforced
Flash Cross-domain Policy Enabled
No Rate Limiting

Impacts:

The impact can range from something like DoS up to enabling authentication attacks.
These vulnerabilities also hold the potential for disrupting the normal workings of the API.

Low-Risk Vulnerabilities

No Session Timeout
Sensitive Information in URL (CSRF Token)
Access-Control-Allow-Origin: Misconfiguration

Impacts:

For requests without credentials, the literal value “*” can be specified as a wildcard.
Lack of session timeout can enable an attacker to steal and use an existing user session.

Our Recommendations

All the steps we recommended to the client were based on available findings from the credentialed patch audit.
Vulnerability scanning is only one tool to assess an application’s security posture. There are several others that Logistics UK can use to assure a definitive measurement.
Complete and comprehensive policy review to fortify internal security controls and procedures, or internal red teaming/penetration testing.
Our recommendations also included an appropriate action plan to close the security gaps and meet all the compliance requirements and regulations.

Results

The tested application was not secured in a manner aligned with good practice. We assisted in simplifying internal and external security practices to fix it.
The client got a complete audit report highlighting all their lapses in security and loopholes within their current policies. We delivered the report and remediation steps within the set deadline.
We devised a specific policy for the documentation of handling errors to the client. It would help them to reduce the human element responsible for security threats in the future.
Logistics UK was eventually able to fortify its security posture after deploying the mitigation steps suggested by our VAPT services team.

Locate Us

Headquarter Anerley Court, Half Moon Lane, Hidenborough, Kent, TN11 9HU,
UK.
Contact: +44(0) 1732 833111

UAE Concord Tower, 6th Floor, Dubai Media City, 126732
Dubai, UAE.
Contact: +971 (0) 4 454 9844

USA 580 Fifth Avenue, Suite 820
New York, NY 10036
USA.

India Plot No.14, 5th Floor, Sector-18, Gurugram -122015 Haryana,
India.
Contact: +91(0) 124 4201376

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Introduction to

Client Background

Before they met us

How we tackled the Situation?

Processes/Strategies Used By our Team

Tech Stack

Tools Used

Findings of the Assessment

Critical Vulnerabilities

High-Risk Vulnerabilities

Medium-Risk Vulnerabilities

Low-Risk Vulnerabilities

Our Recommendations

Results

Get Secured Today

Locate Us

Products

Solutions

What We do

Know More

Choose Expert guidance to patch vulnerabilities.

Let's talk security today.

Choose hacker style methodologies over fear.

Let's talk security today.

We'd Love to Hear From You

Introduction to

Client Background

Before they met us

How we tackled the Situation?

Processes/Strategies Used By our Team

Tech Stack

Tools Used

Findings of the Assessment

Critical Vulnerabilities

High-Risk Vulnerabilities

Medium-Risk Vulnerabilities

Low-Risk Vulnerabilities

Our Recommendations

Results

Get Secured Today

Locate Us

Products

Solutions

What We do

Know More

Follow Us

We adhere your privacy!

Choose Expert guidance to patch vulnerabilities. Let's talk security today.

Choose Expert guidance to patch vulnerabilities. Let's talk security today.

Choose hacker style methodologies over fear. Let's talk security today.

We'd Love to Hear From You

Choose Expert guidance to patch vulnerabilities.
Let's talk security today.

Choose Expert guidance to patch vulnerabilities.

Let's talk security today.

Choose hacker style methodologies over fear.

Let's talk security today.