Data Security expertise is shared across borders

A Finnish expert tested how the website of a Swedish company selling office software survived “hacking” – An example of cross-border cooperation

Hacking is an art form that requires, above all, imagination. It all depends on what the potential intruder comes up with. Of course, the internet is full of instructions and programs, but skills are only weighed when the situation is at hand. This article introduces the notes of a white hat hacker.

A Swedish company offered its website for test use of the CYNIC-project. Testing was performed in a virtual environment in which the production server had been cloned.

What was the purpose of the testing?

My purpose was to find out if, by misusing the application in any way, it can cause events and perform functions that are not part of the normal operation of the application. I had different usernames from the basic user to the administrator in the test. Users have different roles in managing the application.

I figured out whether a particular user role can perform functions that the permissions for that role should not be able to perform. Some of the tools used in testing are free and available to everyone, so it is basically possible for anyone to try out those methods.

What kind of tests did you use?

I started testing with vulnerability scans. In testing, I used several different scanning software to compare the results with each other. The automated scan revealed small discoveries related to the injection attack as well as cookies.

I tested the cookie-related findings with browser tool which enables to modify for example Http requests from the browser to the server.

I used injection testing for the forms and search fields. Testing can be automated using various tools, for example, using injection expressions as well as lists of code snippets, which the program can be set to enter in the desired fields, as well as plain language or encoded (encoded, url encoded, etc.). With the tool used for testing it is possible to study the responses coming from the server and through this you can notice if something anomalous is happening.

Could an outsider break into the app?

The application had a limited number of login attempts, and after these the user has to ask the administrator to reactivate the account. This complicates, for example, brute force technology, which automatically attempts to guess thousands of passwords. In addition to this, the production version has the option for multi-level authentication, so breaking in from internet to the application was not the focus of this testing.

What was observed during the testing?

Injection and cookie tests were performed with different user roles. As a result of the testing, it was found that by gimmicking enough, the basic user could get to see information that he should not be able to see. However, it is good to note that even in this case, the user could not edit or delete any additional data.

In addition, testing found that injection code tests in some fields worked with certain limitations. Injection tests performed on the database did not work with the expressions used in the test.

What, where, when?

The CYNIC security project in Northern Sweden and Northern Ostrobothnia in Finland provides help with the problems that companies face in matters related to digitalisation and information security. The project can be used to safely test hardware and software. Testing can be wise, especially if a company’s business is dependent on the operation of a particular application.