THE CHALLENGE
Our penetration testing team was tasked with a Web application penetration test for an undisclosed Digital Vault Platform (similar to Digi locker). The test included black box testing without a predefined scope or any additional information about the company and simulating a maliciously registered customer.
THE SOLUTION
We were able to achieve a complete compromise of the transaction processing API, which allowed us to initiate unsolicited payments on behalf of other registered customers. Additionally, we were able to fetch the PII documents of the customers.
How Did We Do It?
The team at SecurityBoat discovered an unattended staging environment and exploited its vulnerabilities to access sensitive information. Later, this information was utilized to attack the main application, which enabled us to access the payment API on behalf of other client customers.
The Attack Lifecycle - Black Box
The Attack Lifecycle - Grey Box
What the client said about us!
The moment you speak to SecurityBoat, it's clear that they are passionate at their work. Ninad and his young team are enthusiastic, professional and are fully aware of the implications of their work. They moved fast, worked-hard and delivered a comprehensive report of our online product. Their detailed report and handholding are invaluable and have helped us immensely. Our search for an able, dependable team has ended with Security Boat.
Key Outcomes for the Customer
- Increased Web application security due to comprehensive black and grey box testing and actionable guidelines on vulnerability remediation provided by SecurityBoat.
- The solid reputation of a secure communication solutions vendor and increased customer trust.
