Invesics Security Case Studies

End-to-end Cyber Security Solutions,

with world's leading Cyber Security Experts

www.invesics.com

Web Application Security

Mobile Application Security

Network Security

iOT Security

SCADA Security

Based in Gujarat, India,

Invesics is home to some of the brightest minds from the cyber security domain,

from across the country. Since our inception, we’ve catered to hundreds of

clients across the globe and have helped strengthen their platforms and

business environment against cyber-crime and hackers.

We are empowered by a passionate and diligent team of Ethical Hackers with

certifications from the EC Council, OPSEC and 210W-01 to 210W-10 Cyber

Security for Industrial Control System series.

Together we work as a team of cyber security consultants that is focused on

Along with a holistic focus on helping you make businesses more

secure.

Detailed Understanding

Accurate Milestones

Best-in-town Efficiency

Seamless Support

Why businesses prefer us?

In addition to securing your online business, we also give you a thorough and

detailed understanding of all the processes at every step of the way.

Our process states well-mapped milestones and deliverables, such that it

occupies the least amount of your attention and does not hamper your day-to-

day business functions.

With our cumulative experience and knowledge, we are amongst world’s

leading cyber security experts.

The completion of our project is the beginning of a value driven relationship.

For any query or support related to your business’s cyber security, we will

always be available.

Server and Firewall Security Review of a Wellness Product

VA-PT of a Wellness Product

Pen-Testing of a Giant Software listing Portal

VA-PT of a Magento based application having Magento extension

purchases

Pen-Testing of an International VOIP Service provider Portal

Pen-Testing of Automobile accessory designing Portal

Pen-Testing of Automobile accessory E-Commerce Portal

Periodic Security Re-Assessment for newly added modules of a wellness

product

VA-PT of Educational ERP management System

VA-PT of HR Management Software

Finding Security loopholes from Cloud Infrastructure and logs

Pen-Testing of Fake Brand Detection Portal

IT Audit of a Limited Company Network which deals with Nationalized Bank

VA-PT of International Survey and Feedback Portal

VA-PT of ERP management System

Network VA for Limited IT Company

System Hardening for a listed Software Company

1

3

5

7

8

10

12

14

16

19

21

22

23

24

26

28

30

INDEX

PAGE CASE

End-to-end Cyber Security Solutions,

with world's leading Cyber Security Experts

We were contracted by the company for reviewing the firewall and production

server to identify possible weaknesses in configuration

Page 1

Weak log management

Absence of disaster recovery set-up

Founded SSH open

Default configuration making the server vulnerable to potential attacks

Testing methodologyManual approach was applied for reviewing the server and firewall because of

live environment.

Risk Found

Business RiskClient server was found with default configuration. There were no advanced

security configuration done as a hardening process. Along with that we were

Server + Firewall Review

Type of Project PlatformLinux-xenial-x64

Industry: Health Care Solutions

Scenario

Time Duration15 Days

Server and Firewall Security Review ofa Wellness Product#1

www.invesics.comCase studies by Invesics

Business Risk (Cont.)

able to do SSH bruteforce attack and gain server access in unauthorised

manner. This could lead to access of all product code, database. If any

attacker gains this access, he can completely destory the Production servers

that could lead to potential Brand value loss of 5Cr - that was saved!

Page 2


Testing methodologyAutomated scan was performed for identifying attack surface. Manual

approach was chosen for exploitation and bypassing default client side

protection.

Risk FoundFounded XSS which could affect the users by cookie stealing.

Lack of proper encryption results in capturing sensitive data via MiTM

attack.

Business Risk Due to the mentioned technical risk, any user can gain unauthorised access of

other user on the application without getting their credentials. This leads to

breach to user's data privacy and breach of GDPR standards.

Web VAPT

Type of Project PlatformWordpress, MySQL, Apache,

Ubuntu

ScenarioThe organization has developed server-side protections yet wanted to look for

client side issues as well. Challenge was to perform client-side attacks can

show maximum impacts as the organization provided live environment.

Time Duration1 Month

VA-PT of a Wellness Product#2

Page 3




Under the law of GDPR Standard, it is punishable by Law and Possible Cause

of Reputational loss of the business.

Page 4


Testing methodologyAutomated scan was performed for identifying attack surface. The scan

covered server & client side possible attack vectors. Manual approach was

used for identifying false positive and exploitation.

Risk FoundFile Upload leading to server manipulation and sensitive information

leakage

Privilege Escalation

Week cookie management using Clickjacking for identity theft

Business Risk Application has one of the severe vulnerability of unrestricted file uplaod. By

exploiting this, attacker can upload malicious files like malwares or shells on

the Production servers and by accessing them he can take unauthorized

access of Production Servers.

Web VAPT of respective

product

Type of Project PlatformPHP, Cloudflare, Ubuntu

ScenarioA growing platform useful for discovering top business software and service

partners contracted us for performing full VAPT. The challenge was to perform

VAPT with maximum possible impact.


Pen-Testing of a Giant Software listingPortal#3

Page 5


Industry: IT


Further, week cookie management and Priviledge Escallation found - due to

which an attacker can steal the identity of the product brand and user

accounts and misuse them. This could lead to potential Brand value loss of

approx 8Cr - that was saved.

Page 6


Testing methodology

As the scope was limited for web app, Automated scan was performed by

limiting to provided scope. While exploitation was done manually.

In terms of web server, port status was checked by automated tools and

exploitation was performed manually

Risk FoundSession mis-management and account hijacking

Poor encryption leading to MITM attack

Session exploitation

Improper usage of HTTP method allowed to communicate with server

unnecessarily

Excessive information disclosure using Clickjacking

Web VAPT

Type of Project PlatformWordpress, MySQL, Magento

ScenarioA web application built with Wordpress was presented with limited scope.

However, allowed full port-scan in test environment.

Resulted with High, medium and low level severity issues.


VA-PT of a Magento based applicationhaving Magento extension purchases#4

Page 7


Industry: Application Development

Testing methodologyThe environment was live so everything was done manually. Except basic

scanning. The exploitation was performed in such a manner so it won't affect

the live users.

Risk FoundLack of proper encryption results in capturing sensitive data via MiTM

attack.

Absence of secure flags helps attacker in exploiting session related issues.

HTTP OPTION method enabled allows attacker to identify communication

options to server.

Clickjacking could play role in social engineering

Business Risk Improper cookie management and Priviledge Escallation found - due to which

an attacker can steal the identity of the product brand and also user accounts

Web, Mobile Application VAPT

Type of Project PlatformNodeJS, Angular, MySQL

ScenarioAs the company provides on-demand VoIP service with multiple users. The

challenge was to perform black-box testing with manual approach for sub-

domains only.


Pen-Testing of an International VOIPService provider Portal#5

Page 8


Industry: Telecommunications


and misuse them.

Getting unauthorised access of other user's data on the application is the

breach of user's data privacy and lead to breach of GDPR standard.


of Reputational loss of the business - that was saved

Page 9


Testing methodology

The provided environment was live and black-box methodology was applied to

it. We performed automated scan with low intensity for avoiding any harm to

live environment and users. Manual approach was chosen for exploitation.

Risk Found

Outdated web server version easily exploitable using publicly available

exploits.

Unrestricted file upload leads to server takeover and sensitive information

leakage.

Directory Traversal potentially leads to sensitive information exposure.

Improper session management leads to account takeover


product

Type of Project PlatformMagento, PHP, MySQL, Apache,

Ubuntu

ScenarioWe were contacted by the company for performing web VAPT. As it was live

environment we were not allowed to perform DoS attacks and scope was

limited. Though the exercise resulted with High, medium and low level severity

issues.


Pen-Testing of Automobile accessorydesigning Portal#6

Page 10


Industry: Automobile

Risk Found (Cont.)

Lack of proper encyprtion results in capturing sensitive data via MiTM

attack.



options to server.

Clickjacking could play role in social engineering

Page 11

Business Risk

Combination of serious vulnerabilities found in the web server and application

code. Web server was outdated and hence leads to exploitation via publically

available exploits. Once the server access is taken, we found directory

traversal and unrestricted file upload, using which we were able to gain

unauthorized access of approximate "Yearly 3M$ worth automobile part films"

- that was saved.


Testing methodologyComplete grey-box testing using tools and manual exploitation methodology

Risk Found

Outdated web server version easily exploitable using publicly available

exploits.


leakage.

Directory Traversal potentially leads to sensitive information exposure.


Lack of proper encyprtion results in capturing sensitive data via MiTM

attack.


product

Type of Project PlatformApache Tomcat, JSP, MySQL

ScenarioThe organization contacted us for performing full VAPT with maximum impact.

As we were allowed to test all possible aspects. The entire exercise ended up

with High, Medium and Low severity issues. Which were fixed later as per

provided recommandations.


Pen-Testing of Automobile accessoryE-Commerce Portal#7

Page 12


Industry: Automobile

Risk Found (Cont.)



options to server.

Page 13


Testing methodologyThe entire exercise was done manually. The in-scope URLs were scanned

passively as active scanning could reduce the performance and affect the

active users. Necessary pre-cautions were taken during the exploitation phase.

Risk FoundFile Upload leading to server manipulation and sensitive information

leakage

Poor encryption leading to MITM attack

Absence of secure flags helps attacker in exploiting session related issues

Business Risk As a part of periodic Security review - we have found unrestricted file upload

vulnerability. Also we were able to intercept the user's data (Man in the Middle

Attack) - which leads to user's data privacy breach.

Web VAPT

Type of Project PlatformPHP, MySQL, Apache, Ubuntu

ScenarioClient had a live environment application with frequently updated features.

Which required periodic security testing due to continuous changes


Periodic Security Re-Assessment fornewly added modules of a wellness product#8

Page 14





of Reputational loss for the business - that was saved.

Page 15


Testing methodologyThe gray-box approach was applied as initial demo was provided by the client.

The scanning part was covered with automated tools and utilized the

information for identifying false positives. Later the filtered information was

utilized for manual exploitation for avoiding any consequences. In terms of

web server scanning and exploitaion was performed in automated and manual

manner respectively. The outcome of the entire exercise was categorized in

high, medium and low severity issues. Primary test includes Penetration testing

of Web Application, Server and Network. As system was on Production server

having 3000+ daily transactions, penetration testing was conducted with

taking care that system must not be down during day time.

Web VAPT

Type of Project PlatformWeb VAPT, Mobile VAPT (Android-

iOS), API VAPT

ScenarioA growing platform as a school ERP system contracted us for performing full

VAPT. As the system has to handle thousands of users. Client also allowed us

for performing web server VAPT for potential issues as well. ERP was having

60+ plug and play modules with Lakhs of live users and Hundred of Clients

active on it. Challenge was to perform Penetration testing on Live server with

daily bases updating code.

Time Duration1-1.5 Months

VA-PT of Educational ERP managementSystem#9

Page 16


Industry: (Ed-Tech) Education

Risk Found

Logical Security error in payment gateway integration which enable

payment fraud. By paying 11 bucks, parents could pay thousands of bucks of

fees for their student,



attack.


HTTP Option method was enable providing information of methods to talk

to the server.

The server was vulnerable to sweet32 attack.

The server was also vulnerable to CRIME attack.

Page 17

Business Risk

Testing methodology (Cont.)

ERP was having on-line payment integration with multiple gateways. Test was

to conduct for combination of Dynamically generated multiple user types with

60+ Modules with Dynamic right based access mechanism at view level + data

level.

Combination of severe vulnerabilities found in the Educational ERP from which

a major one found in Payment gateway integration which is used to take online

feels from students and handle school accounting automatically. We were able

to process a successful transaction of some thousand rupees of fees in ERP by

actually just paying 1 rupee. Payment gateway was itself PCI-DSS certified but

the integration done by ERP developer was vulnerable.



This could lead to actual loss of School fees payment of approximate valuation

of 7 Million USD (50Cr) transactions.

ERP was also vulnerable with DDoS attack, due to which the live system can be

down / destroyed that could lead to possible Reputation loss of current

valuation of 10Cr of the brand - that was saved.

Page 18


Testing methodology

The VAPT has been done with gray-box approach. Automated tools were used

for scanning by limiting them to provided scope only. Though for payment

gateway passive scanning was used. The exploitation part was processed in

manual manner by keeping active users in mind.

Risk FoundBroken Authentication & Improper session management potentially leads to

account takeover

Open-redirection affecting clients by redirecting them to malicious site.

Sensitive information leakage revealing the system information which

shouldn't be.


product

Type of Project PlatformMagento, PHP, MySQL, Apache,

Ubuntu

Scenario

The client contracted us for performing web VAPT for provided URLs only. As

the product was HR Management system it became necessary for looking at

information leakage issues and other authentication issues as well. Moreover,

payment gateway was included as well. So VAPT was performed in live

environment. The another challenge was port scanning was limited to certain

ports provided by client only.

Time Duration20-30 Days

VA-PT of HR Management Software#10

Page 19


Industry: Human Resources

Risk Found (Cont.)

Payment Gateway manipulation affecting payments and end users.

Injection flaws with impact of potential data leakage

Page 20

Business Risk

Improper session management was present which leads to other user's account

take-over in unauthorized manner. Hence it was the user's data privacy breach.

Further, along with other vulnerabilities, manipulation of payment gateway

requests leads to full payment success by just actual transaction of 1 rupee.

This leads to Possible loss of payment transaction worth INR. 3-4 Cr along with

Customer data that can lead towards breach of GDPR standard and

reputation loss of the business - that was saved.


Testing methodology

SIEM tools were used to detect suspicious logs from the infrastructure. We also

helped the client to set Secure Network on cloud.

Risk FoundSorted web URLs based on no. of request.

CPU, Disk, Memory utilization metrics details were reported for keeping

eyes on possible issues.

Some Security breach logs found which has been reported immidiately.

Business Risk Found some Security breach logs which suggests that customer's VPC has

been compromised. While they take actions to make the access secure, their

Testing Environment Database got hacked due to same reason. But as we

detected logs earlier, their Production database got safe and approx 20Cr

valuation business got saved.

DevOps, DevSecOps

Type of Project PlatformKibana, AWS

ScenarioThe client approached us for DevSecOps oriented work where we have to look

into log management system and provide periodic reports based on log

analysis

Time DurationPeriodic reporting

Finding Security loopholes from CloudInfrastructure and logs#11

Page 21



Testing methodologyThe aim of the exercise was Tool based VA only so the outcome contained list

of possible issue could lead to potential damage to user and the data.

Risk FoundUnnecessary permission was allowed leading to potential data loss.

Sensitive information leakage was found revealing API_Keys

Buffer overflow founded leading to remote access and application crash.

Raw SQL queries were present enough for giving idea about database

structure.

Mobile Application VAType of Project Platform

Android

ScenarioClient's proprietary methodology guides you to locate and verify anti-

counterfeit features in genuine branded products and helps you detect and

reject fake products. The client approached us for performing tool based VA

for provided APK.


Pen-Testing of Fake Brand Detection Portal#12

Page 22


Industry: Branding & Marketing

Testing methodologyThe Audit was performed for network resources, security appliances, data

security, end-point and all the major aspects which come under IT audit.

Risk FoundDisaster recovery setup was absent.

Remote Desktop service was enabled.

Network was open to certain vulnerabilities

IT Audit

Type of Project PlatformInfrastructure, IT resources, Physical

security

ScenarioTo fulfill the urgent requirement of infrastructure audit the organization

approached us. By keeping IT resources, infrastructure resources, security

equipment and appliances the infrastructure audit was performed.


IT Audit of a Limited Company Networkwhich deals with Nationalized Bank#13

Page 23


Industry: Online Platform

Testing methodology

As we were open to test for all the aspects and it was test environment, we

used multiple automated tools during initial info gathering phase. Then utilized

the filtered information for mapping the provided scope, which helped us for

detailed exploitaion performed with automated and manual approach.

Risk FoundServer Side file upload

XSS attack leading to cookie stealing

Authentication mishandled

Poor encryption

Session exploitation

Improper method handling

Web VAPT

Type of Project PlatformPHP, Apache, Ubuntu

ScenarioThe client approached us for performing full VAPT of the target which also

included full port scan and exploitation. The exercise ended with multiple

issues later divided into high, medium and low severity based on the impact.

The test environment was provided by the client.

Time Duration1 - 1.5 Months

VA-PT of International Survey andFeedback Portal#14

Page 24


Industry: IT Forum

Page 25

Business Risk

Combination of serious vulnerabilities found in the web server and application

code. Improper implementation of user sessions, cookie management,

authentication and encryption leads to account takeover of other users in

unauthorized manner and sensitive information stealing. This becomes the

reason of user's data privacy breach.


of Reputational loss - that was saved.


Testing methodology

Even though it was live environment, we were allowed to test for all the

aspects. We used multiple automated tools during initial info gathering phase.

Then utilized the filtered information for mapping the provided scope, which

helped us for detailed exploitation performed with automated and manual

approach. For increasing the impact we leveraged certain attacks to next level

as well.

Risk Found

SQLi responsible for completed data loss and server takeover.


leakage.

Web VAPT

Type of Project PlatformPHP, Apache, Ubuntu, MySQL

ScenarioWe were approached by the client for performing full VAPT of main domain

hosted in live environment with full permission of demonstrating maximum

impact at application level as well as server level. The final outcome contained

multiple High severity issues at application level and server level as well. The

medium and low severity issues were there as well.


VA-PT of ERP management System#15

Page 26



Page 27


Risk Found (Cont.)

Sensitive information leakage revealing username and passwords of all the

user accounts created in the server.

Founded XSS which could affect the users by cookie stealing.

HTMLi potential helping hand in Social Engineering

Directory Traversal leads to sensitive information leakage.

Insufficient attack protection in login and password recovery feature which

could help an attacker in enumeration.



attack.


SlowlorisDOS capable to bring the server down and makes the service

unavailable to the user.

Vulnerable Software Version open to all the attacks present with the

respective exploits.

Network VA

Type of Project PlatformWindows based desktops and servers

Scenario

To fulfill the requirement of identifying potential issues in the multiple in scope

machines the organization contracted us. The client strictly mentioned to

perform VA only during this project as we had to perform the exercises during

ongoing work of the organization for avoiding any disturbance to current

workflow. The real challenge was to conduct this exercise remotely because of

COVID-19 pandemic. Though we succeed with better outcome.


Network VA for Limited IT Company#16

Page 28


Testing methodology

For performing the VA client provided their public facing VPN from remote

access. We scanned all the in scope machines for open ports and identified

potential weaknesses which could lead to system compromise and potential

data loss.

Risk Found

Vulnerable phpmyadmin application open to publicly available exploits

Vulnerable to DoS

Unnecessary open ports allowing attacker to identify the potential attack

surface.

Industry: IT

Page 29


Business Risk

Network Audit resulted that entire network was vulnerable to DoS attack which

could leads to complete breakdown of the infrastructure and hence business.

Further open ports are easily exploitable which leads to sensitive information

stealing from the network.

This could result into extreme possible business loss for a limited company -

approx 150Cr Market Cap - that was saved.

System Hardening

Type of Project PlatformWindows based desktops and servers

ScenarioBy conducting the hardening exercise for making their environment more

secure the organization contracted us. The client assigned us certain machines

for performing hardening and prepare a checklist containing end results. As

the exercise was performed remotely due to COVID-19 pandemic situation, we

completed the assignment using VPN connectivity.


System Hardening for a listed SoftwareCompany#17

Page 30


Testing methodology

Hardening is the process of reducing the attack surface. We logged into the in-

scope machines and manually checked for open ports, policies, installed

applications, firewall and much more for covering all the aspects of hardening.

Risk FoundFound outdated application - easy to exploit with publicly available

exploits could lead to system takeover.

OS with missing security patches and updates making the system

vulnerable to complete takeover.

Low-level group policy configuration prone to help attacker for identifying

the attack surface which includes open ports, system information and user

enumeration.

Industry: IT Software

www.invesics.com

Schedule a free consultation call today

Invesics Security Case Studies

Documents