Defendza were approached by a potential customer seeking advice in relation to suspected attack. Upon further investigation, this customer's website was recently compromised by malicious threat actors. Several backdoor files were placed that allowed the threat actors to gain and maintain full control of the server hosting this website. Prior to our consultancy, client's team had proactively taken some measures after this attack – “all the necessary malware cleansing steps were taken care off and the website was secured with a shiny new Web Application Firewall (WAF)”. We were asked for an assessment before website goes back live on the internet.
After initial review of client's circumstances, client was in line with our thinking to perform a thorough review of their newly setup website with a grey box approach to ensure learning as well as in-depth analysis.
During the various assessment approaches during this test, server code routines were found vulnerable to SQL Injection therefore, solely relying on the Web Application Firewall (WAF) in use. Upon disabling the WAF, it was possible to compromise the entire application using trivial SQL injection. This vulnerability could allow a malicious user to inject SQL database queries directly into the backend and obtain all the sensitive data.
Further, during the review of the operating system supporting the application, several traces of compromised / backdoor files were identified as left. These were not purged as part of the cleansing process carried out by our client's team.
Defendza's understanding was validated by client where they had taken steps as quick fixes approach to the website. They decided to revamp the entire solution including the supporting infrastructure.
From long term perspective, this customer followed good security practices by building the server from scratch ensuring secure hardening guidelines as provided by Defendza. These configuration and OS settings were set in line with standard security practices. Developers benefitted from Defendza's debriefing session to adopt secure coding practices. These were identified as well implemented and confirmed during the retest.
This telecom industry client was planning for an internal mobile application roll out to its staff on a restricted iPad device. This application allows users to connect to their Salesforce CRM modules to fetch, record and update project specific information.