Bytium, an IT Firm, also provides comprehensive cybersecurity services globally. We had recently engaged with an application developer team for a custom school management application to perform a rapid security assessment. The security assessment was led by Jobyer Ahmed.
Goal: Discover the highest level of security risk as fast as possible.
Context
The application was designed to handle various tasks such as student enrollment, academic records, and staff management. Given the sensitivity of the data it handled, ensuring its security was paramount. Bytium aimed to perform a thorough security assessment to uncover high-to-critical vulnerabilities.
How was our testing approach?
Once we engaged with the developer team, they provided a fresh installation of the application on a virtual private server. To simulate real-world application usage, we had to insert some dummy data into the application. Our goal was to perform the assessment as fast as possible; we had to combine 2 automation tools to speed up the process:
- GoBuster: We used GoBuster to enumerate files and directories using a very small size of the custom word list.
- Burp Suite Professional: This was mainly used to perform semi-auto testing.
- Acunetix Pro: To perform automatic vulnerability scanning.
Our Findings!
Automatic scanning was not useful. Luckily, the Bytium team is skilled and a fan of manual scanning. We did not give up. We performed manual scanning for about 3 hours and found:
- 3 Stored XSS: This kind of vulnerability allows the attacks to run malicious scripts on other users’ browsers who visit the affected page. Stored XSS is more dangerous than Reflected XSS.
- An SQL Injection Flaw: SQL Injection is a critical flaw that allows attackers to execute SQL commands that can lead the attacker to access the main database.
Possible Impact
The XSS and the SQL Injection flaw posed a serious risk for this application’s users. The stored XSS was more dangerous for this application. Even in some cases, the payload was completely hidden. The XSS vulnerability could compromise users’ or even administrators’ data.
The SQL injection flaw could be used to access data stored in the database, including the credentials of the application’s admin users.
Resolution
Our team immediately contacted the application’s development team and sent a detailed report of founded vulnerabilities with actionable recommendations:
- Sanitize inputs
- Use the prepared SQL statement.
- Regular vulnerability assessment as part of the development lifecycle.
Conclusion
The rapid assessment performed by our team highlighted high and critical vulnerabilities that could have implications for data security. The approach by Bytium demonstrated the effectiveness of manual scanning when automated tools fail and the importance of regular security assessment. By discovering security vulnerabilities, the development team can enhance the application’s security to protect its users.
The Good thing should be noted, too
- The development team was responsive.
- A serious interest from their side in enhancing the application.
- They cooperated enough to perform the assessment.
