Client Overview: Our client, a prominent company in the finance sector, manages a wide range of financial services through internal web applications, customer-facing mobile apps, and critical server infrastructure. With operations spread across 13 different office locations, ensuring the security of their digital assets was vital to protecting sensitive financial data and maintaining customer trust.
Challenge: The client needed a comprehensive security audit to identify and address vulnerabilities within their internal web applications, customer-facing mobile app, and server infrastructure. Given the distributed nature of their operations across 13 office locations, a coordinated on-site Vulnerability Assessment and Penetration Testing (VAPT) was essential to ensure consistent security standards across all sites.
Scope: Web Application, Mobile Application, Network, API
Engagement Overview: Over the course of two months, our security team undertook an extensive on-site Vulnerability Assessment and Penetration Testing (VAPT) engagement for a prominent client in the financial services sector. The client, managing sensitive financial transactions and customer data, sought a thorough evaluation of its digital infrastructure, which included internal web applications, a customer-facing mobile app, and its server infrastructure. Our goal was to simulate real-world attack scenarios to uncover potential vulnerabilities that could be exploited by malicious actors.
Our Approach: The engagement was conducted exclusively on-site at the client’s 13 office locations, ensuring a deep, hands-on assessment of their security posture. To minimize disruption to the client’s day-to-day operations, we carried out the majority of our testing during downtime hours, after all employees had left for the day. This allowed us to engage in comprehensive testing without affecting normal business operations.
Our team followed a structured and methodical approach, conducting penetration tests and configuration reviews across multiple components of the client’s infrastructure. The key areas we focused on included:
- Internal Web Applications: These apps were essential for employee operations and data management.
- Customer-Facing Mobile App: A critical interface for clients to interact with the company’s financial services.
- Internal Desktops, Laptops, and Servers: These were central to day-to-day business activities and data processing.
- Firewall and Access Points Configuration: Ensuring that perimeter defenses were properly configured in line with vendor guidelines and industry best practices.
We also employed official vendor guidelines and CIS (Center for Internet Security) Benchmarks for reviewing the security configurations of firewalls, access points, and other infrastructure devices.
Key Vulnerabilities Identified
Throughout the engagement, we identified several critical security vulnerabilities that posed significant risks to the client. These issues ranged from application flaws to outdated systems and misconfigurations in internal systems. Below are some of the most notable findings:
- Mobile Application – Account Takeover Vulnerability: We discovered a critical vulnerability in the client’s customer-facing mobile application. By exploiting multiple logical flaws in the application, an attacker could bypass authentication and gain unauthorized access to any user’s account without knowing the username or password. This vulnerability could have had a severe financial impact, as attackers could have drained funds from user accounts. The client immediately acted upon this discovery, working to mitigate the issue and implement the necessary fixes.
- Outdated Systems: During our assessment, we found that several systems used within the organization were running outdated operating systems, including Windows 7, Windows XP, and Server 2008, all of which had reached their end-of-life (EOL). These systems were no longer receiving security patches from the vendor, posing a significant security risk. We strongly recommended that the client prioritize the upgrade or replacement of these systems to ensure they remained secure and compliant with industry standards.
- Internal Web Application – RBAC Issues: The internal web application revealed multiple Role-Based Access Control (RBAC) flaws. These issues allowed unauthenticated users to access critical data via API requests, and in some cases, they could execute or update data without proper authorization. Additionally, low-privileged users could gain access to admin-level functionalities, potentially compromising sensitive information or making unauthorized changes. Our team recommended a comprehensive review of the RBAC policies and immediate remediation to restrict access to critical functionalities.
- Remote Code Execution (RCE) Vulnerability via File Upload: One of the most severe vulnerabilities we uncovered was a Remote Code Execution (RCE) flaw in the file upload functionality of the internal system. By uploading a specially crafted .aspx file, an attacker could gain full shell access to the server. This would allow the attacker to execute arbitrary code on the critical infrastructure, leading to a complete compromise of the system. We provided strategic recommendations for mitigating RCE risks, including:
- Implementing file type restrictions and validation checks.
- Using secure file upload mechanisms that restrict executable files.
- Implementing a robust monitoring system for uploaded files and executed code.
- Server Configuration – Firewall and Access Point Review: As part of our configuration review, we assessed the client’s firewall and access point settings using CIS Benchmarks and vendor-specific guidelines. Although the overall firewall configuration was reasonable, we identified several areas for improvement, including misconfigured firewall rules and access control lists (ACLs) that could allow unauthorized inbound connections. Similarly, access points were found to have weak encryption protocols, which posed a potential risk of unauthorized network access.
Collaboration with Client’s IT and Security Teams
Throughout the engagement, we maintained close communication with the client’s IT and security teams across each of the 13 office locations. After identifying each vulnerability, we worked collaboratively with the teams to ensure that vulnerabilities were properly understood and prioritized for remediation. This included providing technical guidance and advice on best practices for fixing the identified issues.
Our efforts were focused on both immediate remediation and long-term improvements to the client’s security posture. The client was particularly responsive when we identified the account takeover vulnerability in the mobile app, as it posed an immediate financial risk. The IT team implemented patching and security controls to mitigate this issue within days.
Retesting and Final Recommendations
After the initial round of testing, we conducted two thorough retests of all the assets in scope to verify that the identified vulnerabilities had been addressed and to ensure the overall security improvements were effective. During this phase, we also helped the client by sharing additional recommendations to further strengthen their security infrastructure, including:
- Updating and patching all outdated systems to remove known vulnerabilities.
- Improving the security posture of their internal and external applications by implementing the latest security best practices.
- Implementing stronger authentication mechanisms, including multi-factor authentication (MFA), across critical systems.
- Regularly updating firewall rules and monitoring for potential vulnerabilities.
Conclusion
The two-month engagement led to significant improvements in the client’s security posture, particularly with respect to safeguarding their sensitive financial data. By identifying critical vulnerabilities, such as account takeover and remote code execution, and collaborating closely with the client’s internal teams, we were able to mitigate immediate threats and establish a more resilient infrastructure.
The client now enjoys a strengthened security framework, which not only protects their data but also reinforces their reputation as a trusted provider in the highly competitive finance sector. Through our detailed report, recommendations for remediation, and ongoing support, we were able to help the client enhance their digital security and better protect themselves against evolving cyber threats.