Cyber Security Case Studies

Business situation

The IT product company developed an education domain web application, hosted on Microsoft Azure cloud platform. The product has customers across the globe, and being widely used.

The product company wanted to perform detailed network penetration test on their web application. Valency Networks was approached to perform tests and provide technology design consultancy to achieve better cyber security practices

Solution

• Valency Networks was set up for a demo of the SaaS application, during which Valency Networks pen-testers understood the portal?s business logic and flow and based on that created their own case studies to be tested for each feature and function developed within the SaaS application.
• Since SaaS application was an online educational based business application. Application?s integrity, confidentiality and availability were of utmost priority in the same order. Integrity was important to be ensured because in case hacker was able to gain access via vulnerable session management done in application or was able to upload any malicious content which could lead to major reputational and legislative law-suite cases on application?s development company.
• After demo all pen-testers discussed and decided on what testing methodologies and tools to be used. Also if any new manually scripted payload bombs are required to be created particularly centric to the given SaaS application?s infrastructure and code design i.e. which Cloud is used, application is developed using which framework and hosted on which OS?
• After application case study was complete, pen-testers created case studies for multi-Tenancy and multi-Tenant Role pen-testing methodologies.
• In mean while customer?s development team was setting up UAT instance for Valency Networks replicating production instance and data on it, Valency Networks pen-testers began vulnerability assessment for SaaS application using one Tenant.
• In parallel to this vulnerability assessment Valency Networks pen-testers asked customer to give one more instance of SaaS application to mimic multi Tenancy i.e. customer had all his customer?s application hosted on same server with separate database allocated for each of customer (normal SaaS scenario)
• SaaS application had multiple roles hence testing for session management vulnerabilities for privilege escalation both horizontal and vertical was on checklist which was done using various manual techniques and permutations.
• User input fields within entire SaaS application was tested for cross site script vulnerability using manually scripted payload bombs.
• For any portal ?SELECT queries? can prove of high risk. Badly coded SQL queries can either expose more data, than required, to unauthorized user or this vulnerability can be tweaked by any internal user having bad intentions.
• Due to the nature of this application it had hundreds of Forms i.e. add user, delete user, edit user, add course, add assignments, add announcements, add events, add question banks and more. Hence it was very critical to test each and every Form for Cross Site Request Forgery (hereafter termed as CSRF) vulnerability. CSRF is most impactful and most complex for developers to understand and fix it. But Valency Networks pen-testers were successful in finding CSRF on many critical forms.
• Valency Networks pen-tester took a step ahead and tried to execute Cross Site Request Forgery between two different Tenants i.e. they tested if it was either possible to steal data or POST any data to another Tenant of the same application. And as a fact we were successful (scary but true)! Many advanced tests are included in Valency Networks SaaS application?s multi-Tenancy multi-Tenant Role checklist which are explained later.
• The application had many file upload functionalities too i.e. right from uploading tutorial videos to PDF, Docx, Audios, Images. Hence vulnerability assessment of file-upload was also a big task. Valency Networks has an internal detailed checklist to follow, for vulnerability assessment of file-upload functionality taking various parameters in consideration. As an outcome of testing vulnerabilities were found in file extensions and file name.
• Multi-Tenant checks included many tests, few to mention- if privilege escalation is possible between users of two different tenants and tests like is data exposure or upload possible between users of two different tenants.

Benefits

• IT firm's management could gain confident in their business, which was pinned on this product.
• Web application product gained great data security and hence a lot of polularity among the education sector.