Penetration Testing: Staffing Firm
High Bit Security (HBS) was engaged by a national staffing firm (SF) with offices across the United States, providing employment placement services across all business sectors. This firm stores extensive sensitive employee data, including personally identifiable information (PII), social security numbers, background check information, and employment history. To evaluate the security of their sensitive data, the SF engaged HBS to perform an external penetration test. We also performed an internal penetration test. Upon completion of the testing, we provided a 125 page detailed penetratin testing report.
External Penetration Testing Results
- Website Account Registration Enumeration: The website provided insight of the existence / non-existence of account information, making it easier for an attacker to identify valid accounts.
- Website Misconfiguration: Allowed for remote debugging of the web application, revealing valuable and detailed information about the application framework and code structure.
- Website Password Storage: Website allowed for the storage of authentication credentials, opening client logins to the possibility of abuse from each local client instance.
- Website Misconfiguration: Allowed for the clear text submission of the password, allowing account credentials to be intercepted in clear text.
- Webserver Misconfiguration: Allowed for insecure storage and transport of sensitive authentication and session information.
- Credit Card Data Disclosure: PCI Compliance mandates the masking of full card numbers via the web interface, however, this interface was showing full card numbers.
- Website Information Disclosure: Web application HTTP headers were used for plain text, sensitive information when passing existing visitors to outside sites, which is a common problem we often find with single sign on systems.
- Website Vulnerability: The website was vulnerable to cross site scripting, which could be leveraged to execute malicious scripts to reveal sensitive data or even rewrite the content of the HTML pages being served.
- Website poor coding practice: Allowing scripts from foreign websites to be executed in the client browser context.
- Webserver Misconfiguration: Allowing directory listing, revealing significant details about the web application structure and very helpful for attackers.
- Web Application Authentication Vulnerability: The web application allowed weak password complexity, improving the likelihood that account credentials could be guessed or brute forced.
- Web Application Authentication Vulnerability: The web application did not lock out accounts after a limited number of invalid authentication attempts, or provide brute force protection by any other method, allowing for brute force or dictionary attacks. This was particulary dangerous since the application also allowed the enumeration of valid accounts and allowed weak passwords.
Internal Penetration Testing Results
- Default or Guessable Passwords: The primary internal SQL server used an easily guessable password for the priveledged system account, which we quickly did guess the password. This vulnerability allowed for reading and writing information from the database host file system, in addition to full access to the SQL server database itself.
- Open Administrative Interfaces: Allowing administrative control over several peripheral devices, exposing significant sensitive data.
- Anonymous Enumeration of LDAP: Allowing unauthenticated retrieval of sensitive information about internal accounts on the domain.
- Host Misconfiguration: Allowing unauthenticated connection, and exposing extremely sensitive information about the target hosts.
- Host Misconfiguration: Allowing ports and protocols on servers where it wasn't necessary, exposing sensitive information about the environment that would facilitate attack activities.
Upon receipt of the testing results, the SF was able to review with their IT staff, and close security vulnerabilities on their external web applications, servers and internal systems. Once SF staff completed making corrections, HBS validated the vulnerabilities were remediated.