Physical Security Test

Two web applications were tested for a company in the energy sector. The focus was on attack options for internal and external accounts within the web applications.

Several cross-site request forgery vulnerabilities were identified during the test within the web applications. With CSRF attacks, commands can be executed in the context of the victim if the victim clicks on a manipulated link.  This allows a CSRF attack to change an account password on both internal and external registered users. If successful, this would result in the victim's account being completely compromised.

To prevent CSRF attacks, it must be impossible to prepare a valid request to the web application in advance. This is usually ensured with a random value that changes with every call and is validated on the server side with every received request.

A company in the healthcare sector wanted to subject its internal backup infrastructure to a security check. The goal of this test was to check the configuration of the services and the servers belonging to the backup infrastructure. 

During the check, port 161/tcp was identified on which an SNMP endpoint was running. Additionally, it was possible to use the community string “public” to find out information about account names, the running services as well as the operating system. The identified operating system version was Microsoft Windows CE version 6.0 (Build 0). This embedded version of the Windows operating system was released in 2006 and has been end-of-life since 2022. An increased risk for this system was identified in connection with other open ports and associated vulnerabilities. Since this was concerning a disk management system, successful attacks could provide access to the company's sensitive data.

It was recommended to shut down services that are no longer in use. During penetration tests, we often find that some endpoints that were in use years ago are no longer being used, but still have the same configuration. If these endpoints are still used, for example to send information about the system to a monitoring application, the service must be secured to prevent third parties from reading the information. We also recommended keeping all systems up-to-date in order to neutralize known vulnerabilities via security patches. In this specific case, the accessibility of the services was additionally restricted at the network level to minimize the risk.

A security recheck was carried out by us for a global corporation with focus on an application that visualizes complex data structures.

A penetration recheck (or retest) verifies that the security vulnerabilities identified during an initial penetration test have been fixed. After the company has made corrections, the testers check the same areas again and determine whether the previously exploited vulnerabilities are now secure. This recheck ensures that the remediation was effective and that new vulnerabilities were not inadvertently introduced. Rechecks are essential for maintaining security posture and compliance as they confirm that the risk level has been reduced. Without rechecks, unresolved vulnerabilities could persist, leaving systems unprotected and negating the goals and investments of the original security review.

After the initial recheck, the parts of the application that had no vulnerabilities in the previous penetration test were also examined. Several Reflected Cross-Site Scripting (XSS) vulnerabilities were identified, which would allow attackers to perform operations in the victim's context if a victim clicked on a manipulated link. In order to prevent injection vulnerabilities, such as XSS, it is recommended to verify any input to the application and to remove the special characters.