Testing the boundaries: The story of a voluntary pen-test exercise

Organizations are adopting digital transformation at an unprecedented speed. What could have been considered pioneering actions a few years ago have now become mandatory steps towards securing a foreseeable future for companies worldwide. But in the rush of shifting from traditional processes to new ways of working, the issue of security becomes more important than ever.

One of our clients, let’s call him Client A, reached out to us with a bold, yet specific request. Client A wanted Zitec’s Security Team to test the security of their web infrastructure in a controlled penetration exercise. The company has many applications open to the web. It was essential for them to know of any potential vulnerabilities in the network or the system.

The time allocated for the exercise was limited, making it essential to identify which system was the most vulnerable. Client A presented us with their most vital systems and how they work together. We had a meeting to scope out the existing network resources like domains, addresses, etc. We then briefed the client on the exact systems, applications and IP ranges that would be subject to testing and selected our main targets.

Our team decided to attack the administrative portal, the application that manages the information stored and displayed on the client’s main web page, our second target. We had our work cut out for us.

Before starting the penetration attempt of any public-facing web application, it is required to research the Internet for the presence of the target and collect as much information as possible. This initial step, intuitively called Information Gathering, helped us determine various entry points that could be used to attack our targets.

Once we found the first vulnerability, we simulated an attacker’s mindset and continued our infiltration into Client A’s system. Using a Remote Code execution process, our penetration attempt was eventually successful. We had exposed enough vulnerabilities to put together a detailed report, together with our recommendations.

During our final debriefing meeting with Client A, we discussed our findings and advised on possible solutions. We stayed close during the remediation phase, which was of course appreciated by our client.

Given the extensive nature of this exercise, the detailed story would be difficult to fit in a single blog article. We have prepared a whitepaper that accurately tells the story of the penetration exercise conducted with Client A.

We encourage you to download this whitepaper for free, as it contains valuable details about our findings, insights about general potential vulnerabilities of web apps and lessons learned, there we say the easy way.

Download Your Free Whitepaper
 

We’re always open to discussions about all things security related, so if you have any questions or concerns about you or your organization’s security level, feel free to get in touch at any time.

Leave a Reply

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Share via
Copy link