Contact us: info@tenendo.com
How we did it
Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, which allowed us access to the payment API on behalf of other customers of our Client.
Black box penetration testing phase
Reconnaissance
A staging environment with an unused version of the merchant application was discovered.
Initial Access
A way to register as a user and obtain access to the application was found.
Enumeration
GraphQL introspection was used to enumerate available functionality.
Exploitation
Filter operator tampering was leveraged to bypass authorisation checks.
Collection
Information about projects, transactions, and APIs was dumped with an ad-hoc script.
Grey box penetration testing phase
Initial Access
Initial access to the live portal was implied by the RoE.
Enumeration
All available API functionality was enumerated.
Exploitation
An IDOR vulnerability was discovered and exploited with internal ID information obtained at the Black box stage.
Impact
The exploitation allowed resetting API keys to obtain access to the payment API on behalf of other users of the application.
Conclusion
This case study demonstrates the necessity of the black box stage and initial reconnaissance. Often enough, the scope is predetermined by the Customer, which eliminates the possibility of discovering an external asset that can be used by an attacker to compromise critical applications or infrastructure. We at Tenendo always allocate additional time to conduct in-depth information gathering and can help our Customers to correctly scope external engagements, optimising security, costs, and project time. If you are interested in Web Penetration Testing in general, please refer to Application Penetration Testing.