Case Study:
Securing a Leading Architectural Firm

Due to the sensitive nature of the offensive security services we provide, we have decided to redact client names from our case studies in the interest of client confidentiality. We hope that this allows us to provide a deeper understanding of the services we offer, the security gaps we identify, and most importantly, the value we can provide to your organisation.

Introduction

Our client, a large architectural development firm, reached out to us to assist them through the final phase of their development process. They were months away from launching a suite of new applications, some customer-facing and some internal. They needed a security provider capable of testing the diverse range of systems and applications to ensure compliance and robust security controls before their launch date. They also wanted a provider that understood the development process and could communicate directly with their in-house development team for the remediation of discovered issues. The engagement took place over the course of two months, with testing performed on web applications, APIs, external networks, and their AWS cloud configuration.

Requirements

Due to the tight deadlines, it was important to scope the applications effectively to ensure all deadlines were met and that the software could go live according to the stringent timeline. During the scoping phase, it was determined that the customer-facing web applications were the priority as they had the largest attack surface and, due to their public nature, would be a likely target for attackers attempting to bypass security controls for personal financial gain. The application also handled large amounts of sensitive information such as customer payment details, addresses, identification documents, and credit applications. This further highlighted the need for robust access controls and protections to mitigate the risks of data theft, as this could cause severe financial and reputational damage.

During the scoping phase, our team liaised heavily with the client's in-house developers to gain insight into the nature of the items in scope, the level of access required, and the tools to be used by testers to meet the objectives.

The determined scope included the following systems:

Customer-facing web application for browsing architectural assets with associated API.
Customer-facing project management web application with associated API.
An external IP range consisting of 22 IPs.
Bespoke employee-facing web application for managing customer credit accounts and invoices.
Large cloud infrastructure utilising AWS services.

At the conclusion of the scoping phase, our team were equipped with all the necessary information to allow for focused testing to be performed over the course of the following month, allowing the client time to understand and remediate all discovered issues in a timely manner before the applications went live.

Services Provided

To address the client's security needs, a range of services were provided, including Web Application Penetration Testing, API Penetration Testing, AWS Cloud Configuration Security Review, and External Network Penetration Testing. For each of these services, we adopted our tried and tested methodology, which builds upon industry-recognised frameworks such as the MITRE ATT&CK Framework and The Penetration Testing Execution Standard (PTES).

The overall objective of the penetration testing was to simulate the actions of real-world adversaries in a controlled environment to assess existing security controls and preventative measures. To meet this objective, our team used advanced tools and extensive knowledge of a wide variety of systems to identify areas of weakness that would need to be addressed. For each uncovered issue, a detailed write-up was created with associated evidence and the steps required to recreate the conditions for exploitation. Write-ups focused on the risks posed to the systems’ integrity, confidentiality, and availability, with clear metrics provided for all findings, allowing identified risks to be quickly understood by various stakeholders. Remediation advice and useful resources were also provided for each finding to ensure developers were able to understand all issues and the steps required for them to be remediated effectively.

The configuration review portion of the test was performed on all services in use, which were part of the AWS cloud infrastructure. A combination of semi-automated tools and manual review was used to assess the configuration of each AWS component and highlight areas which posed a potential security risk. Once the misconfigurations were identified, a report was created using the same methodology as used for our penetration testing services, allowing discovered issues to be understood and remediated by the development team.

Key Findings

At the conclusion of testing, our team determined the overall business risk to be high. Vulnerabilities were discovered which could allow malicious actors to undermine the integrity, confidentiality, and availability of the systems in scope. A variety of possible attacks were identified, resulting in outcomes such as privilege escalation, account takeover, phishing, data theft, denial of service, and malware distribution.

Each of the tested systems/applications had unique risks which would need to be addressed before going live. The notable findings for each and their associated security impacts have been outlined below.

Web Application and API Penetration Testing

Client-Side Template Injection (CSTI) – Untrusted data was able to be inserted into Angular templates, due to an insecure version of Angular running on the application. This allowed for arbitrary HTML and JavaScript to be injected and executed within the browser when being returned by the API. This can result in unauthorised actions being performed within the target user’s browser, data theft, and session hijacking.
Stored Cross-Site Scripting (XSS) – A document upload feature was found to be vulnerable to manipulation, allowing file type validations to be bypassed by modifying file headers during upload. This allowed the embedding of malicious scripts in documents disguised as harmless files. When these altered documents were accessed by other users, the embedded scripts would execute, allowing for unauthorised actions to be performed within the target user’s browser, data theft, and session hijacking.
No-SQL Injection – An FAQ section of the API exposed MongoDB queries to the front end of the web application. This allowed for operator injection to be performed, where malicious operators could be inserted into the database queries. This allowed for database queries to be dynamically manipulated, leading to the retrieval of sensitive information. This can result in unauthorised data access, data theft, and potential exposure of critical application data.
Insecure Access Control – Multiple insecure access control issues were identified in the application. This allowed authenticated requests to be performed without authentication and admin requests to be executed from a lower user privilege level. Additionally, Insecure Direct Object Reference (IDOR) vulnerabilities were found, enabling unauthorised users to retrieve and modify data they should not have access to. This overall allowed for privilege escalation, compromising the security and integrity of the application and its data.

External Network Penetration Testing

Unencrypted Network Storage – Network services, specifically HTTP servers, were identified that did not redirect to HTTPS or have an encrypted counterpart. This allowed data to be transmitted in plaintext over the network, exposing it to potential interception and eavesdropping. This can result in unauthorised access to sensitive information, data manipulation, and potential compromise of user credentials and other confidential data.
Insecure Storage Buckets – S3 Buckets were identified that permitted file uploads without proper access controls, allowing for malicious content, such as phishing websites and malware, to be uploaded. This can result in the storage and distribution of harmful content, posing risks to users who might interact with these malicious files or websites.
Password Spraying – Password spraying attacks against the external network allowed for authenticated access to an AWS Redis instance. This allowed for LUA scripts to be executed, potentially leading to unauthorised actions, data manipulation, and further exploitation of the system.
Unpatched Services – Multiple services were found on the external network that were out of date and had known vulnerabilities. These unpatched services were associated with multiple CVEs (Common Vulnerabilities and Exposures), making them susceptible to exploitation. This can result in unauthorised access, data breaches, and potential compromise of the entire network infrastructure under certain conditions.

AWS Cloud Configuration Security Review

Exposed Sensitive Information – During the AWS configuration review, Lambda functions were identified with hardcoded sensitive information, such as passwords and API keys. This can result in unauthorised access to various services, data breaches, and potential exploitation of the application by attackers who gain access to these credentials.
Inadequate Identity and Access Management (IAM) Controls – During the AWS configuration review, it was discovered that IAM roles and policies were overly permissive. Several users and roles had full administrative access without proper justification, and some roles lacked multi-factor authentication (MFA). Additionally, IAM policies were not adhering to the principle of least privilege, allowing users to perform actions beyond their requirements. This can result in unauthorised access, potential misuse of resources, and increased risk of security breaches.
Lack of Network Segmentation – It was found that the network architecture lacked proper segmentation. Critical resources, such as databases and application servers, were located within the same network segment as development environments. This lack of segmentation allowed for unrestricted lateral movement within the network, increasing the risk of unauthorised access and potential compromise of sensitive systems.
Insecure API – While performing a code review of the internal API routes, it was found that internal API routes exposed to the internet could be accessed by performing IP spoofing, bypassing the authentication mechanism. This allowed unauthorised users to interact with the API without proper authentication, potentially leading to data leaks, unauthorised actions, and compromise of internal systems.

All discovered issues were written up in-depth, and ready to be compiled into the final technical reports. For each finding, the following information was presented in the report:

Severity metrics focused on system integrity, confidentiality, and availability.
Affected scope items.
Issue description including background information and environment-specific details.
Sections detailing the impact and likelihood of exploitation.
Environment-specific remediation steps.
Supporting resources and documentation.

Delivery & Outcomes

During the final phase of the engagement, reports were delivered to the client for each application/system tested. Over the course of 30 days following report delivery, our team worked closely with the client's in-house developers to answer questions and ensure that all issues were able to be remediated effectively. The status of all issues was tracked and complimentary re-testing was performed once the developers had implemented the recommended remediation steps. During this period, the overall risks posed by the applications and systems in scope were significantly reduced to a level at which we were confident to deem the systems ready for public exposure.

This engagement allowed our client to identify and effectively remediate a wide variety of issues which undermined the security of their digital infrastructure. Through thorough testing and comprehensive reporting, our team at Clearfin Security was able to facilitate an efficient remediation process with the client's development team, resulting in a hardened security posture across all scope items. We also believe that the engaging conversations with the developers helped to foster a deeper understanding of security, which will pay dividends during the client’s future software development projects.

Get in Touch

Do you have a similar need for offensive security services? If so, we’d love to talk about the services we have on offer. Our collective expertise allows us to test and identify issues in a diverse range of software and digital systems. Use the following link to book your free no-obligation consultation today.