Security Testing on OWASP standards for a Fleet management System
About the client
The client is a provider of Fleet Management Application.
- The client wanted to test the fleet management system which consists of a web application and set of APIs.
- A secure application is required which does not contain any vulnerability and has no risk of any potential threats.
- Lot of data regarding the driver and different user roles is stored in the database.
- Port Scanning is required to find out any which ports on a network are open and could be receiving or sending data.
- OWASP Top 10 Application Security Audit (Manual & Automation) of web application is required
Some of the pages like profile and dashboard were partially developed for most of the user roles, hence it was difficult to effectively complete the testing for the full web application
The scope of API testing was increased in the Re-Validation Round
The testing environment and API details were not provided As per the defined timelines which pushed the end date of the project
- Gathered understanding of web application and functioning of API .
- Setup of tools used for automated scans.
- Explored potential threats, through a process of developing threat scenarios and developed a realistic view of the potential attack using tools.
- Vulnerability assessment of the application and manual testing of APIs
- Simulated the penetration attacks from the Gray-box perspective.
- Executed multiple test cases related to each OWASP vulnerability.
- Port Scanning to find out the open network ports
- Identified OWASP top 10 vulnerabilities.
- Re-validated the issues that were reported in Phase 1.
- Automated scanning of application to re-validate the occurrence of issues identified in Phase 1.
Services we offered
Security Testing | Test Automation
- During the Detailed security testing (Phase 1), 4 medium risk and 1 low risk vulnerabilities was found.
- At the closure of Re-validation (Phase 2) ,3 medium vulnerabilities and 1 Low vulnerability were fixed.
- 1 medium vulnerability had been marked as an exception which will be re-validated by Intel development team
reduction in vulnerabilities of the application