Pen-Testing of an International VOIP Service provider Portal - Cyber Security Case Study

Scenario

As the company provides on-demand VoIP service with multiple users. The challenge was to perform black-box testing with manual approach for subdomains only.

Testing methodology

The environment was live so everything was done manually. Except basic scanning. The exploitation was performed in such a manner so it won't affect the live users.

Risk Found

    Lack of proper encryption results in capturing sensitive data via MiTM attack. Absence of secure flags helps attacker in exploiting session related issues. HTTP OPTION method enabled allows attacker to identify communication options to server. Clickjacking could play role in social engineering

Business Risk

Improper cookie management and privileged Escalation found - due to which an attacker can steal the identity of the product brand and also user accounts and misuse them. Getting unauthorized access of other user's data on the application is the breach of user's data privacy and lead to breach of GDPR standard. Under the law of GDPR Standard, it is punishable by Law and Possible Cause of Reputational loss of the business - that was saved.