Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

website penetration testing case
Published:
February 18, 2022
Category:
Web application
Client:
Britenet

Customer

Britenet is a software development and outsourcing company based in Poland that provides quality IT solutions since 2006. The company creates systems that support operational processes in many business areas and hires over 900 employees.

Britenet specializes in the following areas: 

  • Software Outsourcing 
  • Salesforce 
  • Testing 
  • Business Intelligence 
  • Software Development 
  • Mobile Apps 
  • IT Recruitment 
  • Products 
  • System Support and Maintenance 
  • UX 

Challenges

Britenet has a website, which represents the company to its customers and potential customers, but also shares information on case studies, blog articles, and more. Moreover, the website contains a job listing and a recruitment form allowing potential candidates to submit their resumes. 

It was crucial for the company to make sure that the information stored on the website is secure. Additionally, a website takeover would result in severe degradation of a Britenet’s public image and loss of potential customers. 

The goal of the penetration test of the company’s website was to identify vulnerabilities and misconfigurations that could allow potential adversaries to steal sensitive information, deface the website, or block access to the website for visitors. 

Process

  • The customer set up a dedicated testing environment that replicated the production website. This included the content of the website, contact and recruitment forms, API, language versions, and admin panel. 
  • We verified if the testing environment was working correctly as expected by conducting a few functional tests. 
  • A day after we confirmed that the website was ready, we started the execution of the penetration test. 
  • After the pentest was finished, the customer received a detailed report with discovered vulnerabilities, remediation actions, executive summary, and more. 
  • Together with the customer we organized a report walkthrough where we described identified findings, highlighted potential attack scenarios, and ways that different vulnerabilities could be exploited to increase the impact of the attack. 
  • The customer found the report very clean, and instructive and started the process of applying recommendations to fix identified vulnerabilities. 
  • After the customer finished the fixing process, we began a regression test to verify that the recommendations were implemented correctly and did not introduce new vulnerabilities. 
  • The customer received the updated report with the information, which vulnerabilities were correctly fixed, and how we verified that. 

Solution

A black-box penetration test that imitates Internet-based threat actors has been chosen as the best solution for the customer. A penetration test was focused on the content discovery and understanding of custom mechanisms implemented on the website. 

Once we understood the various mechanisms of the website, we began the process of vulnerability discovery and exploitation. 

Avoided damages

Stealing personal information & application source code

Confidentiality
Integrity

Unauthorized modification of the website

DoS attacks disrupting access to the website

Availability

As a result, we identified 9 vulnerabilities that ranged from high severity vulnerabilities to informational findings that don’t pose an immediate risk. 

Britenet fixed vulnerabilities that allow: 

  • Gaining access to the operating system of the application and the database containing the application’s data. 
  • Exfiltrating information related to applicants that submitted their resumes to Britenet. 
  • Stealing source code and configuration files. 
  • Conducting Denial-Of-Service that blocked access to the website so the visitors could not load any page. 
  • Stealing password hashes of employees. 
  • Impersonation of an employee in internal communication. 

“The company Zigrin Security Dawid Czarnecki conscientiously and timely fulfilled its obligations. Its activities were characterized by high professionalism in the approach to the implementation of works. Extensive experience and high qualifications of employees translated into effects that met our expectations.”
– Michał Borny, CEO of Britenet

Is this article helpful to you? Share it with your friends.

Would you like to see how we can secure a similar application in your company?
Our expert will ask you about your application and see if we can help improve its security.

NEED A CONSULTATION?