Solution:

With client’s approval, our team used the White Box testing method in the production environment. Testing was successfully completed without endangering integrity of the application. 

The following attack vectors were used for the tests: human, infrastructure and application layer. By running all of these, the team managed to get a complete insight into the system and its weaknesses. 

The examination included the following steps:

1. Information gathering – obtaining all public information for the organization using OSINT and Google Dorks, and linking domains from a register with IP addresses. 
2. Testing the infrastructure – scanning the network and ports from the information gathered in the previous step. Service discovery and service vulnerability assessment on open ports were executed. The team found a network of Windows machines that were all vulnerable to the EternalBlue exploit. 
3. Web application testing – brute force. Indexing of all pages. The results of this phase: critical information about the server and application. Examples of found problems: a database backup where you could retrieve the complete scheme, some parts of production data in the staging environment, and server misconfiguration. Errors on some pages that clients’ tests didn’t cover. Testing for XSS and SQL injection. 
4. Reporting – NIST SP 800-1151 standard. Reports were written during every step of the testing process. Those reports contain recommended actions that the client should implement to fix all the vulnerabilities. Our experts provided step-by-step consulting to a responsible clien’s team regarding the application and infrastructure architecture refactoring.

Technology stack:

Penetration Testing