Periodic Security Re-Assessment for newly added modules of a wellness product - Cyber Security Case

Scenario

Client had a live environment application with frequently updated features. Which required periodic security testing due to continuous changes.

Testing methodology

The entire exercise was done manually. The in-scope URLs were scanned passively as active scanning could reduce the performance and affect the active users. Necessary pre-cautions were taken during the exploitation phase.

Risk Found

    File Upload leading to server manipulation and sensitive information leakage. Poor encryption leading to MITM attack. Absence of secure flags helps attacker in exploiting session related issues.

Business Risk

As a part of periodic Security review - we have found unrestricted file upload vulnerability. Also we were able to intercept the user's data (Man in the Middle Attack) - which leads to user's data privacy breach. Under the law of GDPR Standard, it is punishable by Law and Possible Cause of Reputational loss for the business - that was saved.