A client was using a low-cost firm for penetration testing but received only surface-level findings. They required a deeper approach that would assess the vulnerabilities of their web application containing sensitive data from clients in the healthcare and financial services sectors. 

This client sought a more experienced firm, and chose A-LIGN for a high-quality and thorough penetration testing experience. 

The challenge

Before working with A-LIGN, the client had inadequate experiences with their previous firm. The services were not thorough enough and could not assess weaknesses to the level of detail they required. 

In the discovery phase, A-LIGN shared its expertise in both automated and manual testing approaches, breaking down the strengths and weaknesses of each. They clearly explained how each method could contribute to a thorough and effective security review. 

After reviewing the previous penetration test results, it was clear that the previous testing conducted by the prior firm was mostly automated, and did not achieve the depth required to fully and accurately assess the security of the sensitive application. 

Instead, the client needed a comprehensive penetration testing approach that went beyond surface-level vulnerabilities. The client wanted a detailed inspection of their web application to identify deeper vulnerabilities and improve their security posture. They were not just looking to check-the-box for compliance, but to improve their security posture against attacks from malicious actors looking to target the sensitive data housed within the web application. 

They sought out a true audit partner that could engage in expert-level discussions on scope of work, methodology, tester credentials, and experience to help them reach their goals. 

Why A-LIGN 

The client chose A-LIGN as their new firm for their penetration testing program. With over 4,000 penetration tests completed and over 5,700 clients around the globe, A-LIGN facilitated a world-class penetration testing exercise to fulfill the client’s goals and accurately assess vulnerabilities. 

To start the process, a scoping form was used to capture the level of effort to provide visibility of what the engagement entailed. A-LIGN assigned a tester with specialized expertise in web application penetration testing to perform the in-depth approach the client was looking for. 

The engagement began with a kickoff call, bringing together stakeholders from the client’s organization and the tester/manager overseeing the project. This initial meeting set the stage for a collaborative and transparent process for all parties. 

The tester employed the OWASP Top 10 for web applications as the foundation for the testing methodology. Armed with a suite of tools within Kali Linux, the tester began the meticulous process of fingerprinting and identifying vulnerabilities within the web application. Each tool played a crucial role in uncovering potential attack vectors, ensuring a thorough examination of the application’s security landscape. 

The tester mapped out the application layout and dove into the specifics of server versions, software, and security configurations. Tools like WafW00f and Wappalyzer were instrumental in pulling detailed information about web application firewalls and notable technologies and frameworks. This comprehensive mapping provided a clear picture of the application’s structure and potential weak points. 

With the groundwork laid, the tester moved on to executing various attack scenarios. These scenarios were designed to probe the application’s defenses and tested: 

• Rate limiting controls 

• Information disclosure 

• CSV injection 

• Session analysis 

• Cross-site scripting 

• SQL injection 

• Password reset poisoning 

• User enumeration 

• MFA  

Each test was conducted with precision, aiming to uncover vulnerabilities that could be exploited by malicious actors.  

Results 

When working with A-LIGN, the client experienced a more in-depth assessment approach than their previous experiences with a low-quality firm and was pleased with the extensive findings of the engagement.  

The client appreciated the comprehensive and detailed approach provided by A-LIGN. They were able to take findings of the final report and work with their internal IT teams to remediate the findings, which strengthened their security posture against attacks. 

The successful engagement demonstrated A-LIGN’s ability to deliver expert-level penetration testing and improve the client’s web application security.  

By continuing to work with A-LIGN to fulfill their cybersecurity compliance initiatives, the client is now better equipped to handle potential threats and continues to strive for high-quality security measures.