Description
Client: Vistra
Category: Product Security
Date: 2 March 2023
Vistra is a prolific service-providing company that has a functional reach at multiple locations across the globe. The company is dedicated to helping businesses to improve through its fund administration and other corporate services. It helps its clients to boost their growth by providing assistance in employing more people, expanding into new markets, and improving their productivity. Overall, it helps companies to structure their business more efficiently.
Before they met Us!
- Vistra provides its services across different industries that include Governance, Risk & Compliance, Advisory & Transaction Support, Finance, Accounting & Administration, and other similar corporate activities.
- All these day-to-day activities are controlled through Vistra’s web application.
- Functional and security issues kept frequently arising in the application that was coming their way to proving smooth services to their clients.
How we addressed the problem?
- We thoroughly planned a vulnerability assessment and penetration testing process for the client’s web application.
- Our team gathered all the necessary information to solve the issues that were hindering Vistra’s operations.
- We executed in-depth penetration testing to determine the impact of every vulnerability and suggested ways of remediation.
Vulnerabilities We Exploited
Our testing team exploited every known and hidden vulnerability within the client’s environment. The following is the list of those vulnerabilities and their impact on mission-critical applications used for day-to-day business operations.
- Critical Vulnerabilities
- Cross Site Scripting (Stored)
- Business Logic Abuse
- Business logic abuse + Cross Site Scripting (Stored)
- Authentication Bypass
- Impacts
- Broken authentication protocol that might allow hackers to compromise a high-privileged account and access all critical data.
- Impaired UI
- Susceptibility to XSS payload on the web application.
High-Risk Vulnerabilities
- Cross Site Scripting (Reflected)
- Formula Injection
- Impacts
- Attackers can perform unauthorized actions.
- Maliciously crafted formulas can be used for three key attacks.
Medium-Risk Vulnerabilities
- Deprecated TLS used with weak ciphers
- Data Modification
- Security headers missing
- Impacts
- The application fails to prevent users from connecting to it over unencrypted connections.
- Altering programs so they perform differently.
Low-Risk Vulnerabilities
- Information Disclosure – stack trace
- Information disclosure – AWS server version
- Cookie without secure and HTTP only flag
- Impacts
- Absence of the ‘HttpOnly’ flag may allow an adversary to steal authentication data.
- Information leaks
Processes/Strategies Used By our Team
- Basic pen testing techniques that are used during API penetration testing and application penetration testing.
- We followed the key security testing standards such as OWASP Security testing, NIST, PTES, and OSSTMM guidelines.
- Mapping the threat landscape and analyzing the impact of each vulnerability individually.
Tools Used
- Nessus Professional and Burp Suite for vulnerability scanning.
- Network security testing with nMap.
- Incoming and outgoing data traffic analyzed with the help of Wireshark.
- BeEF to determine the impact of external attacks on the application coming through browser exploitations.
- SQL Ninja to exploit database.
Tech Stack of The Application
- HTML, CSS, and JavaScript constitute the front-end architecture.
- Backend features and functionalities are supported by Dot Net Framework and AWS.
- MySQL for Database.
Results and Recommendations
The Client’s application was not in line with adequate security standards. We found several vulnerabilities that might result in catastrophic impacts.
We did a complete review of the security policies and implemented solutions for internal security controls and procedures.
We recommend a comprehensive security plan to close the gaps and meet compliance requirements and regulations.
We drafted a specific policy for the documentation of handling errors for the client.
Eventually, Vistra was able to make its web application secure with the help of our penetration testing services and final recommendations.
