Client Overview: Our client is a prominent player in the Web3 space, offering innovative financial solutions to manage Bitcoin and other cryptocurrencies. With a significant presence in the blockchain and cryptocurrency ecosystem, the company enables users to securely manage their digital assets. As a leading organization in this emerging sector, they handle a vast amount of financial transactions, making the security of their platforms a critical priority. Given the sensitive nature of their operations, ensuring the integrity of their web and mobile applications is paramount to protecting user funds and maintaining trust within the cryptocurrency community.
Challenge: The Web3 space presents unique challenges when it comes to security. The decentralized and transparent nature of blockchain transactions makes them highly visible but also prone to specific types of exploitation. As a result, our client faced several security risks that could potentially compromise user funds and application integrity. Specifically, we identified high-level logical vulnerabilities in their application that allowed attackers to manipulate transaction flows and drain funds. Additionally, common but critical vulnerabilities such as SQL injection (SQLi), Cross-Site Scripting (XSS), and Broken Access Control (BAC) were prevalent, further exposing the platform to potential threats.
With the constant evolution of attack techniques, securing Web3 applications requires a specialized approach. This client needed not only to address immediate vulnerabilities but also to ensure their overall infrastructure remained secure in a rapidly evolving threat landscape.
Scope: Web Application, Mobile Application, API
Engagement Overview: We conducted a 3-month Vulnerability Assessment and Penetration Testing (VAPT) engagement for our client, focusing on their web and mobile applications. Our objective was to identify vulnerabilities that could potentially compromise user funds, data security, and the overall stability of their platform. We adopted a multi-faceted testing approach, simulating various real-world attack scenarios to uncover both common and uncommon vulnerabilities in the system.
Throughout the engagement, we worked closely with the client’s security and development teams, providing actionable insights to help them address and fix vulnerabilities in real time. The engagement covered:
- Web Application Security Testing: We conducted a comprehensive security review of the web application, including testing for SQL injection (SQLi), XSS, Broken Access Control (BAC), Cross-Site Request Forgery (CSRF), HTML injection (HTMLi), rate-limiting issues, and information disclosure. We also identified exposed files and other sensitive data vulnerabilities.
- Mobile Application Testing: The client’s mobile platform, integral to their user experience, was also subjected to extensive security testing to ensure mobile-specific risks were mitigated, such as insecure data storage, improper session management, and potential man-in-the-middle (MITM) attacks.
- Advanced Logical Vulnerabilities: One of the most alarming findings was a set of logical vulnerabilities within their application. By exploiting poorly parsed SQL queries, we were able to manipulate inputs, which resulted in extra fund transfers being directed to unauthorized accounts. This was a critical flaw, and we immediately alerted the client’s team to address it.
- Dark Web Monitoring: As part of our routine security protocols, we regularly scan the dark web for any leaked credentials or exposed sensitive information related to our clients. During this engagement, we discovered that some of the client’s passwords were leaked on the dark web, potentially putting user accounts at risk. This was promptly communicated to the client for remediation.
- Vulnerable Development Platforms: Although not part of our original scope, during our testing, we uncovered vulnerabilities on several of the client’s development platforms exposed to the internet. These platforms were running insecure services that could have been easily exploited by attackers. We immediately notified the client, and they took swift action to secure these systems.
- Breaking Encryption: While we identified several high-impact vulnerabilities, one of the most crucial findings was related to the client’s network traffic encryption. Although the client had implemented a robust encryption mechanism to secure traffic and protect sensitive data in REST and transit, our team was able to break the encryption by identifying a secret key that had been inadvertently exposed during the application analysis phase. This critical oversight could have allowed an attacker to monitor encrypted traffic flows and conduct Man-in-the-Middle (MITM) attacks, effectively intercepting sensitive data such as user credentials, transaction details, or other confidential information exchanged between users and the application.
Key Findings
- High-Level Logical Vulnerabilities: We identified a critical vulnerability that allowed attackers to drain funds by submitting illegal inputs that, when parsed by the SQL query, produced illogical output that transferred more funds than intended. This type of flaw could have led to significant financial losses if left unaddressed.
- SQL Injection (SQLi): Several points within the web application were vulnerable to SQL injection, allowing attackers to manipulate database queries and gain unauthorized access to sensitive information.
- Cross-Site Scripting (XSS): We discovered reflected and stored XSS vulnerabilities, which could allow attackers to inject malicious scripts into the web application. These scripts could compromise user sessions or steal sensitive data.
- Broken Access Control (BAC): Issues were found where users with lower privileges could gain access to restricted areas of the application, potentially exposing sensitive data or allowing unauthorized actions.
- Cross-Site Request Forgery (CSRF): The web application was vulnerable to CSRF attacks, which could trick authenticated users into executing unintended actions, such as transferring funds or changing account settings.
- HTML Injection (HTMLi): A series of HTML injection vulnerabilities were found, which could allow attackers to alter the appearance and functionality of the web interface or inject malicious content.
- Rate Limiting and DoS Vulnerabilities: The lack of proper rate limiting left the system vulnerable to denial of service (DoS) attacks, potentially overwhelming the application with requests.
- Information Disclosure and Exposed Files: Sensitive data, such as error messages, configuration files, and internal paths, were exposed, potentially giving attackers valuable insights into the system’s inner workings.
- Leaked Credentials on the Dark Web: During our routine dark web monitoring, we identified that some of the client’s passwords had been leaked, putting user accounts at risk. This was immediately communicated to the client for action.
- Insecure Development Platforms: Unsecured services running on the client’s development platforms were exposed to the internet, which could have been exploited by attackers to gain unauthorized access to their internal systems.
Actionable Remediation and Collaboration
After identifying these vulnerabilities, we provided a comprehensive report detailing each issue, its potential impact, and clear remediation steps. The report included sample code snippets to help the client’s developers quickly implement the required fixes. We recommended critical actions such as:
- Fixing SQL injection vulnerabilities by using prepared statements and parameterized queries.
- Implementing strong input validation and output encoding to mitigate XSS and HTML injection attacks.
- Applying strict role-based access control (RBAC) to prevent unauthorized access to restricted data.
- Implementing CSRF tokens to protect against CSRF attacks.
- Improving rate-limiting to prevent DoS attacks and mitigate brute force attempts.
The client took these recommendations seriously and worked diligently to deploy fixes, especially for high and critical vulnerabilities. They also implemented enhanced security monitoring and incident response procedures to stay proactive in the face of future threats.
Conclusion
The engagement was successful in identifying a wide range of vulnerabilities that could have posed serious risks to the platform’s security and the client’s reputation. By uncovering high-level logical flaws, critical vulnerabilities such as SQL injection, XSS, and CSRF, and identifying exposed credentials on the dark web, we were able to provide the client with actionable insights that significantly improved the security of their web and mobile applications.
The client’s swift action to address the vulnerabilities demonstrated their commitment to securing user funds and maintaining the trust of their user base. At Securze, we remain dedicated to supporting our clients in securing their platforms, especially in rapidly evolving spaces like Web3, where the security landscape is constantly shifting.