Case studies. Security

Payment processing API penetration testing

Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.

The challenge

Our penetration testing team was tasked with an external penetration test for an undisclosed payment processing company. The test included both black box testing without a predefined scope or any additional information about the company and simulating a maliciously registered customer.

The solution

We were able to achieve complete compromise of the transaction processing API, which allowed us to initiate unsolicited payments on behalf of other registered customers.

How we did it

Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.

Black box penetration testing phase

Reconnaissance

A staging environment with an unused version of the merchant application was discovered.

Initial Access

A way to register as a user and obtain access to the application was found.

Enumeration

GraphQL introspection was used to enumerate available functionality.

Exploitation

Filter operator tampering was leveraged to bypass authorization checks.

Collection

Information about projects, transactions, and APIs was dumped with an ad-hoc script.

Grey box penetration testing phase

Initial Access

Initial access to the live portal was implied by the RoE.

Enumeration

All available API functionality was enumerated.

Exploitation

An IDOR vulnerability was discovered and exploited with internal ID information obtained at the Black box stage.

Impact

The exploitation allowed resetting API keys to obtain access to the payment API on behalf of other users of the application.

Conclusion

This case study demonstrates the necessity of the black box stage and initial reconnaissance. Often enough, the scope is predetermined by the Customer, which eliminates the possibility of discovering an external asset that can be used by an attacker to compromise critical applications or infrastructure. We at Tenendo always allocate additional time to conduct in-depth information gathering and can help our Customers to correctly scope external engagements, optimizing security, costs, and project time. If you are interested in Web Penetration Testing in general, please refer to Application penetration testing.

Your Cyber Resiliency is Our Passion

schedule a call

WHY WORK WITH TENENDO?

Reducing high-severity vulnerabilities’ exposure by up to

97%

Reducing the cost of security testing, audit, and consulting by up to

30%


About security testing:

Post navigation