A charity needed to validate the security of their internal and external networks, as they had been relying on their IT provider to take care of all security related issues for the past few years, and wanted to have an unbiased third-party take a look.

As part of the prerequisites for the internal penetration test, various Active Directory users were created and provided to us by the IT provider. We noticed that all our users had the same password — a password with an awfully "default" feel to it. Based on this feeling, we attempted a password-spray attack against all AD users and discovered nearly 200 other users which had the same password set. Among the 200 identified users, was a domain administrator that belonged to the IT provider.

The client took the results of the internal and external penetration tests and immediately reached out to their IT provider to carry out the recommended remedial actions. We performed a retest one month after the initial penetration test was conducted and were able to confirm adequate remediation of the identified issues. As a result, the charity was able to vastly improve their security posture.

A rapidly growing company launched a complete overhaul of their carbon management platform. Before a major marketing push, they required a comprehensive security assessment to ensure user data, and backend infrastructure were secure from common and advanced threats.

To avoid storing password data, the client opted to send six-digit one-time passwords to users' e-mail addresses when they attempted to log in. To prevent attacks from simply brute-forcing the token, a rate-limit was implemented. During testing, we discovered that by prepending the e-mail address in the JSON body with a single space character, it was possible to bypass the rate-limit and thus try every possible token value for a given e-mail address until the correct one was found. As proof of concept, we demonstrated logging into an admin account belonging to one of the developers.

As soon as we informed the client about this vulnerability in their web application, they restricted access to the platform and worked non-stop until the issue was resolved. We promptly performed a retest to verify proper remediation, and the client was able to confidently carry on with their marketing push.