Italian developer Digital Attitude improved security of its web services by pentest
ITGLOBAL.COM information security specialists provided penetration testing for Digital Attitude, using Black Box model. Pentest helped to evaluate security of public resources and client services, as well as threat level of found vulnerabilities.About the company
Digital Attitude develops Habit-inspiring Platform (hi) — a virtual trainer that helps in adopting new technologies. With the help of hi users develop their new soft skills in corporate software usage, changing older skills to the newer ones.
Digital Attitude’s key project is the virtual trainer’s curricula to adopt Microsoft Office 365 products. Digital Attitude itself is the “golden partner” of Microsoft, winner of Digital Transformation Champ Awards 2020 in Collaboration & Smartworking category.
The habit-inspiring concept is based on the nudge theory of Richard Thaler, the economist and Nobel Prize winner in behavioral Economics.
hi helps personnel to form “proper skills” when working with corporate applications. For example, to regularly save files in a folder synchronized with OneDrive – instead of saving to just “Documents” or “Active Desktop”. With hi employees start utilizing all useful features of MS Office, OneDrive, SharePoint and other Microsoft 365 products. Thus a purchase of a Microsoft package by a company converts from an expense into an investment.
Digital Attitude’s clientele incorporates large companies from various sectors, including oil production, banking, insurance and healthcare.
The Task
hi platform consists of the client part and the server part. The Client, installed on an employee’s PC, anonymously gathers necessary metrics and sends them to a “brain” of hi via IoT. The “brain” conducts analysis and decides which message is to show to a customer. Theoretically, if an intruder intercepts a “client-server” connection, he/she might gain access to an employee’s computer.
Denis Sumin, full stack developer, Digital Attitude IS specialist:
«For our company, the security of users ranks first. Every customer has the ID only. We store no emails, no names, no IP addresses – nothing at all, so everything is highly anonymous. Yet we permanently care that even these anonymous IDs wouldn’t leak anywhere, that there is no side access to them».
Digital Attitude also cares for secure development of the platform. No developer has access to the production version of hi, so an independent production deployment is impossible. Automated deployment is instead performed via Digital Attitude’s special AWS account. Every commit is digitally signed; the forgery is, again, impossible. Each pull request is verified by at least two developers. To insert harmful code into hi requires cahoots of at least three individuals.
Denis Sumin:
«We have everything firmly set inside. But the outer area is beyond our control, so we’ve decided for Black Box penetration test».
The Method
The main feature of Black Box model external analysis of client services protection is that an intruder (pentester) has no knowledge of the company and its systems. Attacks on only the client’s public resources are imitated during a pentest. Source data for an attack are external IP addresses and public URLs, including web sites and other resources: for example – mail, terminal and file servers. Other web services, access to which is revealed upon scanning, are tested as well.
Pentest aims to uncover vulnerabilities, weak points and ways to alternatively access protected information. To do the task, pentesters perform manual analysis, as well as use various tools: multipurpose scanners and specific utilities for some specific types of attacks.
Pentester selection
Before addressing ITGLOBAL.COM, Digital Attitude sent inquiries to both European and American companies. None of the pentesters from the West were able to set suitable timeframes. Many have their projects scheduled for an entire year ahead – the demand for this and like services are truly high in both Europe and the U.S.
Denis Sumin:
«We’ve decided to consider several companies that are new to European market. Unfortunately, the majority of them work on their local markets only. One company confirmed its experience with foreign customers, yet on their site they had neither a single relevant case, nor a word in English».
So, at the end the selection was made in our favor. ITGLOBAL.COM appeared to suit all criteria mentioned above. IS specialists also took their time to specify in details: how the work will be performed, which vectors and tools of attack will be used.
«I was into hacking many years ago, so some items were already very familiar to me. I understood and appreciated your very serious approach: already at the stage of preliminary negotiations», — noted Denis Sumin.
The Outcome
In general Digital Attitude demonstrated very high level of protection. Only one medium level vulnerability – XSS (Cross-Site Scripting) – was ever found. But a willing and skillful enough intruder could get use of it.
The messages the “brain” sends to a client are essentially HTML pages. To make their delivery fast as possible, all javascript is placed inside. As the XSS attack unfolds, the site could be modified – for example, with the insertion of altered scripts.
Alexander Zubrikov, ITGLOBAL.COM IS Head:
«Even such scale vulnerability can lead to a number of issues. Firstly, it is possible for an intruder to obtain the client’s version of hi. As Digital Attitude uses the Chrome engine – a hacker, knowing the version, could examine this version for vulnerabilities that allow accessing the computer. Secondly, an intruder can present an altered content to a customer – images, texts, etc. That user will consider those messages as originated from the name of the company, I.e. will trust them.
Finally, an intruder may simply steal a user’s cookies – with well-known aftermaths».
Imitating the attack, ITGLOBAL.COM testers managed to insert into page their script that was executed on the customer’s side. Digital Attitude immediately patched the vulnerability with Content Security Policy. Now java scripts are signed with the additional certificate: SHA-256 algorithm generates hash, so it’s impossible to alter the script.
Denis Sumin:
«Honestly, we were not expecting any security breaches (laughs). In general we value cooperation with ITGLOBAL.COM. All issues were solved timely. Everything was transparent and professional. Level of tool usage and overall expertise are very high».
Information security services of ITGLOBAL.COM
ITGLOBAL.COM group of companies offers an array of information security services – that allows minimizing risks critical for a principal customer, its clients and business as a whole. Our auditors and IS specialists use the best practices adopted throughout the world: NIST SP 800-xx, ISO 2700x, PCI DSS, as well as widely recognized penetration test methods: OSSTMM, OWASP, NIST, PTES.