Security Testing for Campaign Management Web Application

CONTEXT

A US-based bank sought to conduct Dynamic Application Security Testing (DAST) on its campaign management web application using a structured Vulnerability Management Process. The application was developed using ASP.NET MVC, a framework by Microsoft, and had four distinct user roles and logins.

Challenges

Solution

Conducted both automated and manual Vulnerability Assessment and Penetration Testing (VAPT) to identify security vulnerabilities.
Created video Proof of Concepts (POCs) for all identified security threats during attack simulations.
Mapped the entire website, documenting each URL and parameter passed to ensure a comprehensive security assessment.
The security assessment was executed with minimal interruption, identifying vulnerabilities, impacts, and potential risks.
Used tools like Burpsuite, Acunetix, Netsparker, Tenable Nessus, Nikto, and IronWASP to detect security vulnerabilities.
Performed a code review in collaboration with the development team to validate and remediate vulnerabilities directly.

Value Delivered

Identified and mitigated all security vulnerabilities while reducing false positives through manual verification.
Provided detailed information, proof of concept examples, and exploitation instructions for all identified threats.
Developed a centralized vulnerability tracker in Excel to help the IT asset owner monitor vulnerabilities, remediation status, and action items.
Implemented a centralized dashboard for managing vulnerabilities, along with a task force team for overseeing the entire security management activity.
Followed OWASP guidelines for conducting the Web Application Security Assessment.
Established a risk rating system based on organizational Standard Operational Procedures.
Provided an overview of the engagement, outlining discovered vulnerabilities and recommendations for mitigation.