Safety audit for a British SaaS supplier

Client details: [confidential] – British supplier of SaaS (Software as a Service)

Our job: the key task was to conduct a safety audit and discover any potential vulnerabilities of the service our client offers. The targets of our analysis were their server infrastructure and e-commerce app they offer in a SaaS model. The audit was going to comply OWASP methodology (Open Web Application Security Project).

What we did: we created a team of 3 Web-App Test Experts & Linux Specialists. They conducted full scan of the client’s server configuration. The test has been 100% blackbox, which means we had not been granted access to the server nor the source code of the app beforehand. We acted as if we were external hackers trying to attack the server.

We also tested safety of the e-commerce app which is the core business of our client. It’s a selling and marketing platform that can be bought and branded by their customers.

What the client gained: during the 30-day safety audit we discovered a total of 18 vulnerabilities, of which 4 were server configuration vulnerabilities. We were authorized to share the following details of 2 of the vulnerabilities discovered for the purpose of this case study.

1) XML External Entity (XXE) attack, which was able to conduct in the “add products” module. Thanks to XXE we managed to read the files from the server and we could freely execute commands in the system. Had an attacker found this error before we did, they could severely complicate the business activity of our client.

2) Hidden “admin panel”, responsible for check-up and reset of other servers, as well as executing some simple commands. Unfortunately, the panel was so ineffective that we quickly gained full control over it and could execute any commands (shell executions) in the client’s system.
The audit was summarized in a full report containing our discoveries and advice on how to eliminate them.

What we gained: we gained yet another happy customer. We were also invited to conduct a follow-up audit as soon as the new version of the system would be operational.