Web Application Security
Mobile Application Security
Network Security
iOT Security
SCADA Security
Based in Gujarat, India,
Invesics is home to some of the brightest minds from the cyber security domain,
from across the country. Since our inception, we’ve catered to hundreds of
clients across the globe and have helped strengthen their platforms and
business environment against cyber-crime and hackers.
We are empowered by a passionate and diligent team of Ethical Hackers with
certifications from the EC Council, OPSEC and 210W-01 to 210W-10 Cyber
Security for Industrial Control System series.
Together we work as a team of cyber security consultants that is focused on
Along with a holistic focus on helping you make businesses more
secure.
Detailed Understanding
Accurate Milestones
Best-in-town Efficiency
Seamless Support
Why businesses prefer us?
In addition to securing your online business, we also give you a thorough and
detailed understanding of all the processes at every step of the way.
Our process states well-mapped milestones and deliverables, such that it
occupies the least amount of your attention and does not hamper your day-to-
day business functions.
With our cumulative experience and knowledge, we are amongst world’s
leading cyber security experts.
The completion of our project is the beginning of a value driven relationship.
For any query or support related to your business’s cyber security, we will
always be available.
Server and Firewall Security Review of a Wellness Product
VA-PT of a Wellness Product
Pen-Testing of a Giant Software listing Portal
VA-PT of a Magento based application having Magento extension
purchases
Pen-Testing of an International VOIP Service provider Portal
Pen-Testing of Automobile accessory designing Portal
Pen-Testing of Automobile accessory E-Commerce Portal
Periodic Security Re-Assessment for newly added modules of a wellness
product
VA-PT of Educational ERP management System
VA-PT of HR Management Software
Finding Security loopholes from Cloud Infrastructure and logs
Pen-Testing of Fake Brand Detection Portal
IT Audit of a Limited Company Network which deals with Nationalized Bank
VA-PT of International Survey and Feedback Portal
VA-PT of ERP management System
Network VA for Limited IT Company
System Hardening for a listed Software Company
1
3
5
7
8
10
12
14
16
19
21
22
23
24
26
28
30
INDEX
PAGE CASE
End-to-end Cyber Security Solutions,
with world's leading Cyber Security Experts
We were contracted by the company for reviewing the firewall and production
server to identify possible weaknesses in configuration
Page 1
Weak log management
Absence of disaster recovery set-up
Founded SSH open
Default configuration making the server vulnerable to potential attacks
Testing methodologyManual approach was applied for reviewing the server and firewall because of
live environment.
Risk Found
Business RiskClient server was found with default configuration. There were no advanced
security configuration done as a hardening process. Along with that we were
Server + Firewall Review
Type of Project PlatformLinux-xenial-x64
Industry: Health Care Solutions
Scenario
Time Duration15 Days
Server and Firewall Security Review ofa Wellness Product#1
www.invesics.comCase studies by Invesics
Business Risk (Cont.)
able to do SSH bruteforce attack and gain server access in unauthorised
manner. This could lead to access of all product code, database. If any
attacker gains this access, he can completely destory the Production servers
that could lead to potential Brand value loss of 5Cr - that was saved!
Page 2
www.invesics.comCase studies by Invesics
Testing methodologyAutomated scan was performed for identifying attack surface. Manual
approach was chosen for exploitation and bypassing default client side
protection.
Risk FoundFounded XSS which could affect the users by cookie stealing.
Lack of proper encryption results in capturing sensitive data via MiTM
attack.
Business Risk Due to the mentioned technical risk, any user can gain unauthorised access of
other user on the application without getting their credentials. This leads to
breach to user's data privacy and breach of GDPR standards.
Web VAPT
Type of Project PlatformWordpress, MySQL, Apache,
Ubuntu
ScenarioThe organization has developed server-side protections yet wanted to look for
client side issues as well. Challenge was to perform client-side attacks can
show maximum impacts as the organization provided live environment.
Time Duration1 Month
VA-PT of a Wellness Product#2
Page 3
www.invesics.comCase studies by Invesics
Industry: Health Care Solutions
Business Risk (Cont.)
Under the law of GDPR Standard, it is punishable by Law and Possible Cause
of Reputational loss of the business.
Page 4
www.invesics.comCase studies by Invesics
Testing methodologyAutomated scan was performed for identifying attack surface. The scan
covered server & client side possible attack vectors. Manual approach was
used for identifying false positive and exploitation.
Risk FoundFile Upload leading to server manipulation and sensitive information
leakage
Privilege Escalation
Week cookie management using Clickjacking for identity theft
Business Risk Application has one of the severe vulnerability of unrestricted file uplaod. By
exploiting this, attacker can upload malicious files like malwares or shells on
the Production servers and by accessing them he can take unauthorized
access of Production Servers.
Web VAPT of respective
product
Type of Project PlatformPHP, Cloudflare, Ubuntu
ScenarioA growing platform useful for discovering top business software and service
partners contracted us for performing full VAPT. The challenge was to perform
VAPT with maximum possible impact.
Time Duration15 Days
Pen-Testing of a Giant Software listingPortal#3
Page 5
www.invesics.comCase studies by Invesics
Industry: IT
Business Risk (Cont.)
Further, week cookie management and Priviledge Escallation found - due to
which an attacker can steal the identity of the product brand and user
accounts and misuse them. This could lead to potential Brand value loss of
approx 8Cr - that was saved.
Page 6
www.invesics.comCase studies by Invesics
Testing methodology
As the scope was limited for web app, Automated scan was performed by
limiting to provided scope. While exploitation was done manually.
In terms of web server, port status was checked by automated tools and
exploitation was performed manually
Risk FoundSession mis-management and account hijacking
Poor encryption leading to MITM attack
Session exploitation
Improper usage of HTTP method allowed to communicate with server
unnecessarily
Excessive information disclosure using Clickjacking
Web VAPT
Type of Project PlatformWordpress, MySQL, Magento
ScenarioA web application built with Wordpress was presented with limited scope.
However, allowed full port-scan in test environment.
Resulted with High, medium and low level severity issues.
Time Duration1 Month
VA-PT of a Magento based applicationhaving Magento extension purchases#4
Page 7
www.invesics.comCase studies by Invesics
Industry: Application Development
Testing methodologyThe environment was live so everything was done manually. Except basic
scanning. The exploitation was performed in such a manner so it won't affect
the live users.
Risk FoundLack of proper encryption results in capturing sensitive data via MiTM
attack.
Absence of secure flags helps attacker in exploiting session related issues.
HTTP OPTION method enabled allows attacker to identify communication
options to server.
Clickjacking could play role in social engineering
Business Risk Improper cookie management and Priviledge Escallation found - due to which
an attacker can steal the identity of the product brand and also user accounts
Web, Mobile Application VAPT
Type of Project PlatformNodeJS, Angular, MySQL
ScenarioAs the company provides on-demand VoIP service with multiple users. The
challenge was to perform black-box testing with manual approach for sub-
domains only.
Time Duration1 Month
Pen-Testing of an International VOIPService provider Portal#5
Page 8
www.invesics.comCase studies by Invesics
Industry: Telecommunications
Business Risk (Cont.)
and misuse them.
Getting unauthorised access of other user's data on the application is the
breach of user's data privacy and lead to breach of GDPR standard.
Under the law of GDPR Standard, it is punishable by Law and Possible Cause
of Reputational loss of the business - that was saved
Page 9
www.invesics.comCase studies by Invesics
Testing methodology
The provided environment was live and black-box methodology was applied to
it. We performed automated scan with low intensity for avoiding any harm to
live environment and users. Manual approach was chosen for exploitation.
Risk Found
Outdated web server version easily exploitable using publicly available
exploits.
Unrestricted file upload leads to server takeover and sensitive information
leakage.
Directory Traversal potentially leads to sensitive information exposure.
Improper session management leads to account takeover
Web VAPT of respective
product
Type of Project PlatformMagento, PHP, MySQL, Apache,
Ubuntu
ScenarioWe were contacted by the company for performing web VAPT. As it was live
environment we were not allowed to perform DoS attacks and scope was
limited. Though the exercise resulted with High, medium and low level severity
issues.
Time Duration1 Month
Pen-Testing of Automobile accessorydesigning Portal#6
Page 10
www.invesics.comCase studies by Invesics
Industry: Automobile
Risk Found (Cont.)
Lack of proper encyprtion results in capturing sensitive data via MiTM
attack.
Absence of secure flags helps attacker in exploiting session related issues.
HTTP OPTION method enabled allows attacker to identify communication
options to server.
Clickjacking could play role in social engineering
Page 11
Business Risk
Combination of serious vulnerabilities found in the web server and application
code. Web server was outdated and hence leads to exploitation via publically
available exploits. Once the server access is taken, we found directory
traversal and unrestricted file upload, using which we were able to gain
unauthorized access of approximate "Yearly 3M$ worth automobile part films"
- that was saved.
www.invesics.comCase studies by Invesics
Testing methodologyComplete grey-box testing using tools and manual exploitation methodology
Risk Found
Outdated web server version easily exploitable using publicly available
exploits.
Unrestricted file upload leads to server takeover and sensitive information
leakage.
Directory Traversal potentially leads to sensitive information exposure.
Improper session management leads to account takeover
Lack of proper encyprtion results in capturing sensitive data via MiTM
attack.
Web VAPT of respective
product
Type of Project PlatformApache Tomcat, JSP, MySQL
ScenarioThe organization contacted us for performing full VAPT with maximum impact.
As we were allowed to test all possible aspects. The entire exercise ended up
with High, Medium and Low severity issues. Which were fixed later as per
provided recommandations.
Time Duration1 Month
Pen-Testing of Automobile accessoryE-Commerce Portal#7
Page 12
www.invesics.comCase studies by Invesics
Industry: Automobile
Risk Found (Cont.)
Absence of secure flags helps attacker in exploiting session related issues.
HTTP OPTION method enabled allows attacker to identify communication
options to server.
Page 13
www.invesics.comCase studies by Invesics
Testing methodologyThe entire exercise was done manually. The in-scope URLs were scanned
passively as active scanning could reduce the performance and affect the
active users. Necessary pre-cautions were taken during the exploitation phase.
Risk FoundFile Upload leading to server manipulation and sensitive information
leakage
Poor encryption leading to MITM attack
Absence of secure flags helps attacker in exploiting session related issues
Business Risk As a part of periodic Security review - we have found unrestricted file upload
vulnerability. Also we were able to intercept the user's data (Man in the Middle
Attack) - which leads to user's data privacy breach.
Web VAPT
Type of Project PlatformPHP, MySQL, Apache, Ubuntu
ScenarioClient had a live environment application with frequently updated features.
Which required periodic security testing due to continuous changes
Time Duration1 Month
Periodic Security Re-Assessment fornewly added modules of a wellness product#8
Page 14
www.invesics.comCase studies by Invesics
Industry: Health Care Solutions
Business Risk (Cont.)
Under the law of GDPR Standard, it is punishable by Law and Possible Cause
of Reputational loss for the business - that was saved.
Page 15
www.invesics.comCase studies by Invesics
Testing methodologyThe gray-box approach was applied as initial demo was provided by the client.
The scanning part was covered with automated tools and utilized the
information for identifying false positives. Later the filtered information was
utilized for manual exploitation for avoiding any consequences. In terms of
web server scanning and exploitaion was performed in automated and manual
manner respectively. The outcome of the entire exercise was categorized in
high, medium and low severity issues. Primary test includes Penetration testing
of Web Application, Server and Network. As system was on Production server
having 3000+ daily transactions, penetration testing was conducted with
taking care that system must not be down during day time.
Web VAPT
Type of Project PlatformWeb VAPT, Mobile VAPT (Android-
iOS), API VAPT
ScenarioA growing platform as a school ERP system contracted us for performing full
VAPT. As the system has to handle thousands of users. Client also allowed us
for performing web server VAPT for potential issues as well. ERP was having
60+ plug and play modules with Lakhs of live users and Hundred of Clients
active on it. Challenge was to perform Penetration testing on Live server with
daily bases updating code.
Time Duration1-1.5 Months
VA-PT of Educational ERP managementSystem#9
Page 16
www.invesics.comCase studies by Invesics
Industry: (Ed-Tech) Education
Risk Found
Logical Security error in payment gateway integration which enable
payment fraud. By paying 11 bucks, parents could pay thousands of bucks of
fees for their student,
Improper session management leads to account takeover
Lack of proper encryption results in capturing sensitive data via MiTM
attack.
Absence of secure flags helps attacker in exploiting session related issues.
HTTP Option method was enable providing information of methods to talk
to the server.
The server was vulnerable to sweet32 attack.
The server was also vulnerable to CRIME attack.
Page 17
Business Risk
Testing methodology (Cont.)
ERP was having on-line payment integration with multiple gateways. Test was
to conduct for combination of Dynamically generated multiple user types with
60+ Modules with Dynamic right based access mechanism at view level + data
level.
Combination of severe vulnerabilities found in the Educational ERP from which
a major one found in Payment gateway integration which is used to take online
feels from students and handle school accounting automatically. We were able
to process a successful transaction of some thousand rupees of fees in ERP by
actually just paying 1 rupee. Payment gateway was itself PCI-DSS certified but
the integration done by ERP developer was vulnerable.
www.invesics.comCase studies by Invesics
Business Risk (Cont.)
This could lead to actual loss of School fees payment of approximate valuation
of 7 Million USD (50Cr) transactions.
ERP was also vulnerable with DDoS attack, due to which the live system can be
down / destroyed that could lead to possible Reputation loss of current
valuation of 10Cr of the brand - that was saved.
Page 18
www.invesics.comCase studies by Invesics
Testing methodology
The VAPT has been done with gray-box approach. Automated tools were used
for scanning by limiting them to provided scope only. Though for payment
gateway passive scanning was used. The exploitation part was processed in
manual manner by keeping active users in mind.
Risk FoundBroken Authentication & Improper session management potentially leads to
account takeover
Open-redirection affecting clients by redirecting them to malicious site.
Sensitive information leakage revealing the system information which
shouldn't be.
Web VAPT of respective
product
Type of Project PlatformMagento, PHP, MySQL, Apache,
Ubuntu
Scenario
The client contracted us for performing web VAPT for provided URLs only. As
the product was HR Management system it became necessary for looking at
information leakage issues and other authentication issues as well. Moreover,
payment gateway was included as well. So VAPT was performed in live
environment. The another challenge was port scanning was limited to certain
ports provided by client only.
Time Duration20-30 Days
VA-PT of HR Management Software#10
Page 19
www.invesics.comCase studies by Invesics
Industry: Human Resources
Risk Found (Cont.)
Payment Gateway manipulation affecting payments and end users.
Injection flaws with impact of potential data leakage
Page 20
Business Risk
Improper session management was present which leads to other user's account
take-over in unauthorized manner. Hence it was the user's data privacy breach.
Further, along with other vulnerabilities, manipulation of payment gateway
requests leads to full payment success by just actual transaction of 1 rupee.
This leads to Possible loss of payment transaction worth INR. 3-4 Cr along with
Customer data that can lead towards breach of GDPR standard and
reputation loss of the business - that was saved.
www.invesics.comCase studies by Invesics
Testing methodology
SIEM tools were used to detect suspicious logs from the infrastructure. We also
helped the client to set Secure Network on cloud.
Risk FoundSorted web URLs based on no. of request.
CPU, Disk, Memory utilization metrics details were reported for keeping
eyes on possible issues.
Some Security breach logs found which has been reported immidiately.
Business Risk Found some Security breach logs which suggests that customer's VPC has
been compromised. While they take actions to make the access secure, their
Testing Environment Database got hacked due to same reason. But as we
detected logs earlier, their Production database got safe and approx 20Cr
valuation business got saved.
DevOps, DevSecOps
Type of Project PlatformKibana, AWS
ScenarioThe client approached us for DevSecOps oriented work where we have to look
into log management system and provide periodic reports based on log
analysis
Time DurationPeriodic reporting
Finding Security loopholes from CloudInfrastructure and logs#11
Page 21
www.invesics.comCase studies by Invesics
Industry: (Ed-Tech) Education
Testing methodologyThe aim of the exercise was Tool based VA only so the outcome contained list
of possible issue could lead to potential damage to user and the data.
Risk FoundUnnecessary permission was allowed leading to potential data loss.
Sensitive information leakage was found revealing API_Keys
Buffer overflow founded leading to remote access and application crash.
Raw SQL queries were present enough for giving idea about database
structure.
Mobile Application VAType of Project Platform
Android
ScenarioClient's proprietary methodology guides you to locate and verify anti-
counterfeit features in genuine branded products and helps you detect and
reject fake products. The client approached us for performing tool based VA
for provided APK.
Time Duration15 Days
Pen-Testing of Fake Brand Detection Portal#12
Page 22
www.invesics.comCase studies by Invesics
Industry: Branding & Marketing
Testing methodologyThe Audit was performed for network resources, security appliances, data
security, end-point and all the major aspects which come under IT audit.
Risk FoundDisaster recovery setup was absent.
Remote Desktop service was enabled.
Network was open to certain vulnerabilities
IT Audit
Type of Project PlatformInfrastructure, IT resources, Physical
security
ScenarioTo fulfill the urgent requirement of infrastructure audit the organization
approached us. By keeping IT resources, infrastructure resources, security
equipment and appliances the infrastructure audit was performed.
Time Duration1 Month
IT Audit of a Limited Company Networkwhich deals with Nationalized Bank#13
Page 23
www.invesics.comCase studies by Invesics
Industry: Online Platform
Testing methodology
As we were open to test for all the aspects and it was test environment, we
used multiple automated tools during initial info gathering phase. Then utilized
the filtered information for mapping the provided scope, which helped us for
detailed exploitaion performed with automated and manual approach.
Risk FoundServer Side file upload
XSS attack leading to cookie stealing
Authentication mishandled
Poor encryption
Session exploitation
Improper method handling
Web VAPT
Type of Project PlatformPHP, Apache, Ubuntu
ScenarioThe client approached us for performing full VAPT of the target which also
included full port scan and exploitation. The exercise ended with multiple
issues later divided into high, medium and low severity based on the impact.
The test environment was provided by the client.
Time Duration1 - 1.5 Months
VA-PT of International Survey andFeedback Portal#14
Page 24
www.invesics.comCase studies by Invesics
Industry: IT Forum
Page 25
Business Risk
Combination of serious vulnerabilities found in the web server and application
code. Improper implementation of user sessions, cookie management,
authentication and encryption leads to account takeover of other users in
unauthorized manner and sensitive information stealing. This becomes the
reason of user's data privacy breach.
Under the law of GDPR Standard, it is punishable by Law and Possible Cause
of Reputational loss - that was saved.
www.invesics.comCase studies by Invesics
Testing methodology
Even though it was live environment, we were allowed to test for all the
aspects. We used multiple automated tools during initial info gathering phase.
Then utilized the filtered information for mapping the provided scope, which
helped us for detailed exploitation performed with automated and manual
approach. For increasing the impact we leveraged certain attacks to next level
as well.
Risk Found
SQLi responsible for completed data loss and server takeover.
Unrestricted file upload leads to server takeover and sensitive information
leakage.
Web VAPT
Type of Project PlatformPHP, Apache, Ubuntu, MySQL
ScenarioWe were approached by the client for performing full VAPT of main domain
hosted in live environment with full permission of demonstrating maximum
impact at application level as well as server level. The final outcome contained
multiple High severity issues at application level and server level as well. The
medium and low severity issues were there as well.
Time Duration1 Month
VA-PT of ERP management System#15
Page 26
www.invesics.comCase studies by Invesics
Industry: (Ed-Tech) Education
Page 27
www.invesics.comCase studies by Invesics
Risk Found (Cont.)
Sensitive information leakage revealing username and passwords of all the
user accounts created in the server.
Founded XSS which could affect the users by cookie stealing.
HTMLi potential helping hand in Social Engineering
Directory Traversal leads to sensitive information leakage.
Insufficient attack protection in login and password recovery feature which
could help an attacker in enumeration.
Improper session management leads to account takeover
Lack of proper encryption results in capturing sensitive data via MiTM
attack.
Absence of secure flags helps attacker in exploiting session related issues.
SlowlorisDOS capable to bring the server down and makes the service
unavailable to the user.
Vulnerable Software Version open to all the attacks present with the
respective exploits.
Network VA
Type of Project PlatformWindows based desktops and servers
Scenario
To fulfill the requirement of identifying potential issues in the multiple in scope
machines the organization contracted us. The client strictly mentioned to
perform VA only during this project as we had to perform the exercises during
ongoing work of the organization for avoiding any disturbance to current
workflow. The real challenge was to conduct this exercise remotely because of
COVID-19 pandemic. Though we succeed with better outcome.
Time Duration15 Days
Network VA for Limited IT Company#16
Page 28
www.invesics.comCase studies by Invesics
Testing methodology
For performing the VA client provided their public facing VPN from remote
access. We scanned all the in scope machines for open ports and identified
potential weaknesses which could lead to system compromise and potential
data loss.
Risk Found
Vulnerable phpmyadmin application open to publicly available exploits
Vulnerable to DoS
Unnecessary open ports allowing attacker to identify the potential attack
surface.
Industry: IT
Page 29
www.invesics.comCase studies by Invesics
Business Risk
Network Audit resulted that entire network was vulnerable to DoS attack which
could leads to complete breakdown of the infrastructure and hence business.
Further open ports are easily exploitable which leads to sensitive information
stealing from the network.
This could result into extreme possible business loss for a limited company -
approx 150Cr Market Cap - that was saved.
System Hardening
Type of Project PlatformWindows based desktops and servers
ScenarioBy conducting the hardening exercise for making their environment more
secure the organization contracted us. The client assigned us certain machines
for performing hardening and prepare a checklist containing end results. As
the exercise was performed remotely due to COVID-19 pandemic situation, we
completed the assignment using VPN connectivity.
Time Duration15 Days
System Hardening for a listed SoftwareCompany#17
Page 30
www.invesics.comCase studies by Invesics
Testing methodology
Hardening is the process of reducing the attack surface. We logged into the in-
scope machines and manually checked for open ports, policies, installed
applications, firewall and much more for covering all the aspects of hardening.
Risk FoundFound outdated application - easy to exploit with publicly available
exploits could lead to system takeover.
OS with missing security patches and updates making the system
vulnerable to complete takeover.
Low-level group policy configuration prone to help attacker for identifying
the attack surface which includes open ports, system information and user
enumeration.
Industry: IT Software