How we did it

Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, which allowed us access to the payment API on behalf of other customers of our Client.

Black box penetration testing phase

Reconnaissance

A staging environment with an unused version of the merchant application was discovered.

Initial Access

A way to register as a user and obtain access to the application was found.

Enumeration

GraphQL introspection was used to enumerate available functionality.

Exploitation

Filter operator tampering was leveraged to bypass authorisation checks.

Collection

Information about projects, transactions, and APIs was dumped with an ad-hoc script.

Grey box penetration testing phase

Initial Access

Initial access to the live portal was implied by the RoE.

Enumeration

All available API functionality was enumerated.

Exploitation

An IDOR vulnerability was discovered and exploited with internal ID information obtained at the Black box stage.

Impact

The exploitation allowed resetting API keys to obtain access to the payment API on behalf of other users of the application.

Conclusion

This case study demonstrates the necessity of the black box stage and initial reconnaissance. Often enough, the scope is predetermined by the Customer, which eliminates the possibility of discovering an external asset that can be used by an attacker to compromise critical applications or infrastructure. We at Tenendo always allocate additional time to conduct in-depth information gathering and can help our Customers to correctly scope external engagements, optimising security, costs, and project time. If you are interested in Web Penetration Testing in general, please refer to Application Penetration Testing.