We were approached by our client to conduct a penetration test on an extensive enterprise application delivered by a third party. There was a real suspicion of leakage of sensitive data concerning employee’s wages and unauthorized access to this information. The entire application consisted of hundreds of sub-files and libraries, providing complex services for running various divisions, and it was necessary to define and focus on critical input vectors, representing a potential path to sensitive data, including parts of the application that should only be accessible to specific privileged users.
By analysing the ongoing communication in association with the possibilities for the decompilation, modification and reverse compilation of binary files, we immediately managed to identify several critical vulnerabilities that directly threaten the security of the entire application and its data.
The application’s remote update feature allowed additional SQL queries to be inserted into the database, allowing an external attacker to interact with the client's database. Likewise, it was found that it was possible to escalate an employee's normal permissions to the highest level of a super user by partially modifying the software on the part of the attacker. This was because additional controls were also missing on the server side of the application.
All of our findings helped the customer to identify and recognize potential risks, which also put them in a good position to resolve the deficiencies with the software supplier and, in the end, helped to raise the security level of the third-party software for other clients who will become their customers in the future.