HackControl was contacted by the owners of a crypt exchange and asked to carry out a penetration test of their IT resources (the application and IT systems) for vulnerabilities.
During the penetration testing, a number of medium to high vulnerabilities were identified, including:
IDOR – Insecure Direct Object Reference occurs when a web application improperly or forgets entirely to verify user input when they are using that as a reference.
XSS – Cross-site scripting is a security breach that takes advantage of dynamically generated Web pages. In an XSS attack, a Web application is sent with a script that activates when it’s read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting.
CSRF – Сross Site Request Forgery is a type of malicious attack on an application where unauthorized commands are transmitted unknowingly from a trusted user to the application. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript requests, etc.,
As well as the above a number of other minor vulnerabilities were identified.
The main vulnerability that could potentially be used by attackers was IDOR in the password reset system. In fact, an attacker could reset the password (by having it sent to his email) of any user on the exchange just by obtaining their email address. This vulnerability was found, localized and fixed, which prevented the theft of users funds who had not set up two-factor (2FA) authentication.
In addition, we found a denial-of-service (DOS) vulnerability, which allowed an attacker to perform a “server-hard” request to cause a system failure and the 504 server error. This vulnerability was out of scope, however, it was reported to the customer along with our recommendations on how to remedy it.
Also, the customer’s Apache web server was completely updated and rebuilt, their front-end and back-end were optimized and security headers for web servers were added.
Due to low confidence in the hosting provider where the exchange was located and, actually hosted, encryption of all data on the server was implemented and a secure environment was created.
It took 2 weeks to complete the project, prepare and present a report with the discovered vulnerabilities and our recommendations on how to fix them.