Pen testing for a Cryptocurrency Platform
Today’s technological advances make it easier than ever for hackers to identify vulnerable points and barge into an organization’s security. The purpose of pen testing is to help companies protect the weaknesses of their servers and network before hostile parties could discover and exploit those.
What is Pen testing?
A penetration test, also known as a pen test or ethical hacking, is a simulated cyberattack against the organization’s IT infrastructure. Penetration tests are often carried out to evaluate security by safely trying to exploit vulnerabilities in security posture. These vulnerabilities may exist in operating systems, due to services and application flaws, improper configurations, or risky end-user behavior.
In case of web application security, penetration testing is commonly used to elevate a web application firewall (WAF). The insights obtained from the test are used to fine-tune the WAF security policies and patch detected vulnerabilities. Such assessments are also useful in authenticating the effectiveness of defensive mechanisms, as well as end-user adherence to compliance regulation.
Penetration testing is typically carried out using manual or automated technologies to spot potential points of exposure. Through privileged escalations, testers can attempt higher levels of security clearance and deeper access to electronic assist, once the vulnerabilities are successfully exploited.
Why Cryptocurrency Platform needs Pen testing?
The future of digital currency is strong and so are security risks. With the prevalence of cryptocurrency, it is crucial to prepare exchange platforms for any exploitation. Hence, Pen test is often carried out to evaluate the software, applications, systems, and devices used in cryptocurrency transactions. It identifies vulnerabilities and risks in the system which may impact the confidentiality, integrity, and availability of the data by emulating real attacks such as DDoS attacks.
Pentest ensures that hackers cannot reach sensitive data through loopholes and users have a secure crypto exchange. It validates the current security implementation. It also checks the social engineering aspects such as attempts to hack employee data or vendors or other stakeholders to gain security credentials and phish into cryptocurrency networks.
Here is a case study to help you understand better.
Case Study – Pen testing for a Cryptocurrency Platform
Recently, iLink performed a pen test for a cryptocurrency exchange site, and below is the complete case study of the same.
Introduction
The client is a cryptocurrency exchange platform that offers users the ability to buy and sell digital money. Being a crypto-financial platform, security is a major concern and thus penetration testing plays an important role in validating the security of the application.
In this approach, our security analyst carried out ethical hacking to identify the exposed security loopholes. The entire pen testing was performed manually, though automated tools were used to check DDoS attacks and other vulnerabilities.
Challenges
The goal of the application is to provide a beginner-friendly, secure, and fast cryptocurrency trading experience to users. Customers make several USD deposits and trade in Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), and other currencies, and the client wanted to be assured of stringent security protocols to forbid trespassing onto the application.
The client also wanted to check Admin wallets against coin theft. Only authorized and valid users must be able to access the application after completing the KYC process. Users must be able to immediately report any failure during the KYC, registration, login, transaction, etc, and follow a safe and responsible workflow to solve the issue.
Protecting customers and providing a satisfactory experience was one of the top priorities, yet the biggest challenges being addressed were in terms of security and tamper-proof transactions.
Approach
Module flows were analyzed, and the security testing approach was based on the module flow. Testing was a mix of automation and manual testing.
- The application has two interfaces – one for Admin and other for Users, both the interfaces were tested separately. The backend databases hosted in AWS were highly restricted and its access is managed via AWS keys. IPs were whitelisted to grant access to the databases only to specific IP addresses.
- The analyst tested all the entry points. Additionally, all the UI forms were checked with different combinations of inputs. The security analyst tested every response given and ensured whether the application redirections are as expected.
- Admin interfaces were tested in terms of secure login, authorized access, SSL enablement, SQL injections, Calculations of coin bundle pricing with other currencies. On the other hand, user interfaces were tested from point of user registration till the user accessing the application.
- The major focus, in terms, of user registration testing, was the KYC process. It authenticated all the checks and revealed that the process validates the application only to credible users.
- All UI forms were tested from the point of input validation. Minimal test cases were performed based upon different scenarios of attacks like wallet transfer, coin exchanges, approvals on transactions, and so on.
Identity Management
The first scenario considered was Identity Management or “ID management”. The term refers to the processes of identifying individuals or users, thereby authorizing them to access organizational systems and networks. The process also includes canceling user access when it’s no longer valid.
ID management is of utmost importance to protect against the wide range of fraud scams that are projected to become prevalent. The tests include Credentials Transported over an Encrypted Channel, Default Credentials, Weak Lock Out Mechanism; Bypassing Authentication Schema; Vulnerable Remember Password; Browser Cache Weaknesses; Weak Password Policy; Weak Security Question Answer; Weak Password Change or Reset Functionalities; Weaker Authentication in Alternative Channel.
The security analyst found that most of the test cases passed. The user authorization and authentication were validated in this initial testing.
Authentication
Authenticating users is essential especially when financial transactions are involved. Besides, the client wanted to ensure zero fraudulent transactions.
For this, different test cases such as – Logging in with a fake username or password; Role Definitions; User Registration Process; Account Enumeration, and Guessable User Account and Weak or Unenforced Username Policy targeted testing areas.
The client portal transmits data over the encrypted channel as the application has enabled Secure Socket Layers (SSL). Tampering that is nearly impossible. In the final finding, a few cases were identified with a weak password scheme applicable and could be improved while the rest of the test cases had passed.
The findings from these tests revealed that the client has a good user registration process in place. Role definition is very clear as only privileged users can access the application. There are two portals one is admin and the other is users. Unless a hacker muddles through the account and breaks the password there could not be a way to break the security. However, a 2-factor authentication feature is enabled along with an auto-logout to assure security.
Session Management Testing
To avoid repeated authentication for each page of a website or service, web applications implement various mechanisms to store and validate credentials for a pre-determined timespan. These mechanisms are known as Session Management.
In our test, no cookies were used as the application adopted token-based authentication and almost all the test cases passed. As the token expires after 5 hours, it assures the security of the platform.
Most of the test cases were found to be not applicable. All this testing has been done manually. Some of the test cases were executed through coding to get them verified.
Business Logic Testing
In this testing, the application was tested in terms of its business logic. Testing of business logic flaws is similar to the test types used by functional testers that focus on logical or finite-state testing. These types of tests require security professionals to think in unconventional methods as the vulnerability cannot be easily detected.
Being a financial application data validation is the most important aspect. Thus our experts tested validation in terms of inputs. While testing the application for forging a request, say for a balance (for USD transfer)the number of times such activities can be performed is limited. For example, OTP sent is limited to 5 times a day. Likewise, unexpected upload of files is not allowed through the application.
Client-Side Testing and Error Handling
This testing identifies that if data could be manipulated through JavaScript execution. It also ensures that the application redirects to the correct URL from HTTP to HTTPS and makes secure communication.
The proper error message is being displayed for each type of errors.
In Conclusion
iLink helped the client to determine the vulnerability of its platform under different kinds of cyberattacks. The pen test helped them realize how low-risk vulnerabilities could manifest into higher-level damage and negatively impact business operations.
Our security analysts not only minimized the security risks but also recommended solutions with proven methods to help them thwarts future attacks. Thus, organizations need to hire security professionals to make sure that their systems are safe and secure.
Why iLink?
iLink has a special team of threat intelligence and certified testers with almost 20 years of experience. Our security solutions include the latest features that provide comprehensive security regulation to protect your most critical cloud assets.
