How Exfinity helped securing a leading fintech’s web applications and cloud infrastructure

Client Challenge 

A leading fintech organization, headquartered in Mumbai, India, required a comprehensive penetration testing assessment to safeguard its web applications and cloud infrastructure. The primary objective was to identify vulnerabilities, evaluate security controls, and ensure compliance with industry standards such as the OWASP Top 10 and AWS CIS Benchmark, thus protecting sensitive client data from potential attackers. 

Our Approach 

In response to the client’s concerns, we identified two key services to address their needs: Web Application Testing and Cloud Configuration Testing. Our engagement was aimed at: 

  • Identifying vulnerabilities across the web application and cloud infrastructure. 
  • Evaluating the effectiveness of existing security controls. 
  • Assessing compliance with OWASP Top 10 and AWS CIS Benchmark standards. 

Cloud Configuration Review 

During the assessment, the client specifically requested a priority review of their AWS configuration. As part of this review, we discovered several misconfigurations, including: 

  • Improperly configured inline policies. 
  • Multiple Amazon S3 buckets with public access permissions. 

These issues were detected through the AWS portal linked to the fintech’s infrastructure. To ensure a thorough review, the assessment was conducted in full compliance with CIS Benchmark standards. The client promptly addressed these misconfigurations, significantly reducing their risk exposure. 

Web Application Testing 

Next, we turned to the web application, which operated on a WordPress platform. Using the Exfinity testing methodology, we applied specialized test cases designed for WordPress environments. Our comprehensive testing revealed several vulnerabilities, some of which posed critical risks to the overall infrastructure. Notable findings included: 

  • Sensitive AWS Credentials Exposure: A WP-backup file containing AWS secret and access keys was discovered, granting unauthorized access to the AWS environment, including backup files. This misconfiguration was especially dangerous because it could lead to significant data breaches. However, the risk was mitigated as the inline policy misconfigurations had been rectified earlier in the AWS configuration review, preventing any exploitation of the exposed credentials. 
  • CIBIL API Vulnerability: Another critical issue was found with the CIBIL API integration on the website. Improper handling of API responses allowed for a manipulation vulnerability, specifically concerning the OTP (One-Time Password) response. This vulnerability could enable unauthorized individuals to generate detailed CIBIL reports by using a valid OTP, which seriously compromised user privacy and data security. 

Outcome 

As a result of our penetration testing efforts: 

  • The client successfully mitigated critical vulnerabilities in both the AWS configuration and web application. 
  • Inline policy misconfigurations and public S3 access permissions were promptly corrected, greatly reducing cloud infrastructure risks. 
  • The web application’s vulnerabilities, including the exposed AWS keys and CIBIL API manipulation, were effectively neutralized. 

Recommendations 

To maintain a strong security posture, we recommended that the client: 

  • Immediately address all remaining identified vulnerabilities. 
  • Implement a quarterly security assessment schedule to proactively identify and mitigate new threats. 
  • Continuously assess both web applications and cloud infrastructure for compliance with industry standards and emerging security risks. 

This proactive approach will help ensure that the client remains secure in the face of evolving threats and continues to safeguard sensitive financial data. 

Conclusion 

Exfinity assessment for Fintech revealed critical vulnerabilities in their AWS configuration and web application security. The review identified misconfigurations, including improper inline policies and public access to S3 buckets, which were promptly corrected, reducing cloud infrastructure risks. In web application testing, we discovered exposed AWS credentials and a CIBIL API vulnerability, both of which were effectively addressed.