Bypassing a mobile’s advanced passcode lock to recover browser history
CCL was engaged by the client to conduct a security review and penetration test. The review consisted of an assessment of their web applications and supporting infrastructure, comprising of: Application Security Assessment, Web Services Security Assessment and an External Infrastructure Security Assessment.
Overcoming the Challenge:
For web application testing, CCL follow an engagement model developed in-house. This model provides a framework for CCL’s consultants to ensure that all aspects of an application are examined for vulnerabilities and weaknesses, which could be exploited by an attacker to compromise the application.
CCL began by performing reconnaissance of the application to get an understanding of its structure and functionality. This allowed us to perform a targeted assessment against key areas of interest such as the authentication and authorisation functionality.
The web services were tested for a variety of implementation issues such as session management flaws and ensuring malicious data cannot be submitted.
We performed a detailed analysis of the exposed services on the underlying web server. This enabled us to ascertain what weaknesses and vulnerabilities were present which could be leveraged by an attacker on the Internet.
The assessment highlighted serious vulnerabilities that were communicated to the client during the engagement. Doing so, allowed the client to remediate these issues and have them retested within the assessment timeframe. These vulnerabilities included a way to; bypass the authentication, exfiltrate data, and a means to inject malicious code.
Consequently, we could verify that the client had resolved the most significant attack vectors present within their applications and supporting infrastructure.
Following the assessment, our report enabled the client to then prioritise their focus in remediating the remaining issues.