Picture of the author
Kratikal's Logo
Contact Us

Case Study


Consumer Internet

Client Backgorund

With only one and a half years in the sector, the company has amassed an impressive clientele and finance. With the help of their application, the company is able to provide self-driving cars (web and mobile). Customers can use the app to hire a vehicle of their choice, drive it for as long as they require, and pay for it appropriately.

Business Challenges

  • Preventing the modification, deletion, or misuse of 0.5 million user records.

  • Preventing the program from being reverse engineered and exploited for nefarious purposes.

  • Evaluate the company's IT infrastructure for weaknesses.


  • 0.5 million Downloads

  • Covered approx. 10 cities.

  • 100000 bookings per year.


The company turned to Kratikal's security testing department to identify any technical or logical flaws in their web and mobile applications, as well as their servers. To get recommendations on how to reduce the risks of exploiting those flaws.


  • The experiment was conducted in a simulated environment.

  • The test was done in a black box environment.

  • To test the program in its infrastructure, a variety of hacks were performed (Application and Database server).

  • The tests were carried out in compliance with industry best practices, such as the OWASP framework.

Major Findings

  • CAR might be rented for any length of time at the LOWEST feasible price.

  • When booking 'work vehicles,' parameters such as mobile number, start date, end date, and email address can be modified.

  • The transport layer's protection procedures were insufficient to deal with discrete SSL/TLS authentication, exposing and intercepting the data connected with the application and the accompanying session IDs.

  • It was discovered that the.apk file could be simply reverse engineered into its source code, database structure, and mobile architecture.

  • The server was discovered to be vulnerable to a privilege escalation exploit, which might allow an attacker to gain root access.


  • By tampering with the billing amount settings, attackers can book a car for long periods of time while still paying the lowest possible price for the services

  • Attackers can create multiple fake accounts. This might result in bogus reservations, cancellations, and income loss.

  • The server was vulnerable because the private keys used to secure the SSH connection were compromised if the device or mail with which they were linked was compromised.

  • Because the application is vulnerable to reverse engineering, attackers can inject malicious code (like various types of malwares) into the code.


  • Changing the pricing parameter might result in free rides worth USD 61, resulting in a daily loss of USD 6153 or a monthly loss of USD 184k.

  • Their server was discovered to be vulnerable to a privilege escalation hack, allowing the attacker to:
    a) create any file
    b) modify any file
    c) add users
    d) revoke access to any user.

  • With a DoS assault, the attacker might bring their systems down for an unlimited amount of time. This could result in an immeasurable financial loss.

  • The corporation could lose a lot of money, suffer lawsuits, and have their brand image tarnished.


  • Parameters to be checked on the server and the server's answer compared to the request received by the application.

  • Secure the SSH connection setup with a layer of private key and an additional passphrase.

  • Patch the servers to prevent privilege escalation and automate the patch management procedure.

  • Detailed documentation of the web application vulnerabilities was provided, outlining the problem, its cause, and how to fix it.

Kratikal Privacy Commitment

Kratikal is dedicated to safeguarding your company from advanced threats, such as data leakage. For this reason, we do not reveal the names of our case study participants.