Need an urgent support?

Call: +1 307 392 4577

Code Review of a Custom Application

Case Studies

by

Bytium, a complete IT solutions company, also provides a comprehensive security review of web applications; recently reviewed the security for a popular Client Relationship Management System made with PHP.

Security Reviewed by: Bytium Cybersecurity team
Application Name: [Hidden for Privacy Reason]
Time Spent: 6 Hours

Context

The CRM application was designed to handle various sensitive tasks like creating estimation, storing customer information, generating invoices, making payments, and other perform other sensitive functionalities. Bytium Team performed a quick security assessment to discover security vulnerabilities in the code with two methods 1. Partial Black box, 2. Code review.

How was our testing approach?

As a team leader, Jobyer engaged with the application’s developer. The application was installed in the local host. Some dummy data was inserted to simulate the application’s usage. We have used the following tools to speed up the process.

  • Burp Suite Professional: This was mainly used to perform semi-auto testing.

Note: Most of the assessment was manually reviewing the application’s source code where user input was accepted.

Our Findings!

We have manually reviewed the application structure and source code for the part of the application where user input was accepted. Found followings:

  • Server-side errors
  • XSS
  • HTML Injection
  • Server-side request forgery
  • Session Issues
  • Missing user-input sanitization

Possible Impact

XSS can be used to execute a malicious script in the user’s browser, whereas attacker can use HTML injection for similar attack like phishing by injecting HTML into a existing page.

Cybercriminals can utilize server-side request forgery for data exfiltration, internal network mapping, or even remote code execution.

As some input point was not sanitized, there was the possibility of being a victim of another type of injection attack. Session issues could have been used to steal the user’s session.

Resolution

Bytium team promptly contacted the application’s development team with the following recommendations:

  • Details of the discovered vulnerabilities
  • Ways to Sanitize Inputs
  • Regular vulnerability assessment as part of the development lifecycle.

Conclusion

Bytium found high-risk vulnerabilities that could affect data security. Their manual scanning approach showed the importance of regular security assessments. Improving the app’s security will help protect its users.

Top Cybersecurity certifications 2024

Previous post

Best cybersecurity training and certifications in 2024

NEXT post

A rapid security assessment of a custom web application

Written by

Bytium Team

Bytium is a global information technology company aim to empower business with hassle-free various IT services including general IT support to advanced cybersecurity services for affordable price.

About Us

Bytium Logo

Bytium is a Managed IT company, formerly registered as Bytium LLC in the USA, offering from essential IT support to advanced cybersecurity services in the USA, UK, and Bangladesh. catering to both individuals and corporations and aiming to empower businesses around the globe.

Services

Managed IT Services

Cybersecurity Services

Cloud Computing Support

Cybersecurity Services in Bangladesh

Important Links

Client Area

Contact Us

Privacy Policy

Cookie Policy

Address

USA

30 N Gould St #26901, Sheridan, WY 82801

Phone: +1 307 392 4577

UK

7 Bedruthan Avenue, Truro, TR1 1RW, UK

Phone: +1 307 392 4577

Bangladesh

Medical East Gate, Rangpur, Bangladesh, 5400

Phone: +88018 3683 0755

© 2024 Bytium LLC. All rights reserved.

Privacy policy | Cookie Policy | Terms & Conditions