SAAS
The company is a SaaS based solution provider and has over 15000+ businesses across 65+ countries. They are the leading cloud communication provider in emerging markets in less than 7 years. We’ve matured to becoming a globally recognized named with over 600 employees
Assess vulnerabilities present in the application of the company.
Protecting the user data from being misused and made public
Safeguarding the application from being abused to distribute malware.
15000 + Business Users
Operates around 65 + + countries.
Trusted by some of the biggest IT firms of the world
The company approached the security testing department of Kratikal to identify the technical as well as the logical vulnerabilities that may be present in their cloud application which they provide as a SaaS to their customers. To seek recommendations for mitigating the potential risks that may arise on exploiting those vulnerabilities
The test has been carried out in a dummy environment
The test was conducted as a black box exercise.
Various hacks were attempted to test their web application.
The tests were conducted in accordance with the best practices available in the industry, such as Open Web Application Security Project (OWASP).
It was discovered that the parameters corresponding to the billed amount of subscription can be modified such that, it could be bought for FREE.
Confidential information about all their customers could be drawn out of their servers
The SSL mechanism to encrypt confidential information like usernames and passwords was incorrectly configured.
Using the web app, the email id and SMS of the customers could be bombarded with emails/SMS.
Account of the admin user could be hijacked by the attacker
OTP verification over mail or SMS was susceptible to brute force attacks
Since the parameters corresponding to the billing amount can be tampered with, the attackers can buy subscription of their product for FREE.
Using the OTP verification mechanism, the attackers could flood the SMS/- Mail box of the users of their service
Because of insufficient protection at the ansport layer, attackers can sniff the data (going to the server from the Mobile application) and modify it.
An attacker could target their clients with spear-phishing emails and SMShing using the data leaked from their servers.
Usernames and Passwords of the users were leaked from their application.
Modifying the pricing parameter, one could buy their subscription for FREE, resulting in losses of over ₹10 Crores.
Leaking of sensitive client information from their application about their clients and users can make them liable for huge fines under various compliances and local cyber laws of the countries their work in.
Hijacking of the admin accounts of their application could lead to complete loss of service.
Using the application’s functionality, the attacker could redirect the users to malicious sites and install malwares like ransomwares into their systems and networks.
The company could face huge financial losses, potential lawsuits and defilement of their brand image
To deal with the issue of parameter tampering, we suggested the organization that parameters should be verified at the server and the response of the server should be matched with the request sent by the application.
We suggested critical changes in the application’s architecture and authentication mechanism.
We advised the organization on advanced controls and cryptographic techniques (like obfuscation techniques) for database security and server design.
We suggested them to modify their application flows to prevent data loss and account takeovers.
Detailed documentation of the vulnerabilities discovered in the application was provided, explaining the problem, its cause and remediation.
Drop us an email and we'll respond as soon as possible
Kratikal is dedicated to safeguarding your company from advanced threats, such as data leakage. For this reason, we do not reveal the names of our case study participants.
Loading...