MedRabbits is a Home Healthcare service provider, which offers services.... Learn More Enquire Now
Familheey is a mobile app that enables individuals to connect, engage and grow. Learn More Enquire Now
Agdhi is an agri-tech startup company which leverages artificial intelligence... Learn More Enquire Now
Direign investigate various businesses, as well as their digital tools and methods... Learn More Enquire Now
Innovation Incubator is industry’s first to offer a unique model of combining... Learn More Enquire Now
MotoNerdz provides access to global motorcycle accessories, parts... Learn More Enquire Now
Trusted Hands Financial Services Private limited is a Kerala based Activities... Learn More Enquire Now
Vagari.ai LLC has created a Vehicle Rental App for Auto Dealers, Fleet and other... Learn More Enquire Now
Vagari.ai LLC has created a Vehicle Rental App for Auto Dealers, Fleet and other vehicle owners (Owners) to provide vehicles to drivers including those who drive for uber/lyft (Renters) in the rideshare and Transportation as a Service (TaaS) industry. Vagari.ai LLC is a frictionless mobility technology startup based in New York, USA. Their first product is the vehicle rental mobile app. This App offers an opportunity for Owners to earn incremental revenue on idle inventory on one hand and for the Renters to use vehicles at subscription price and if needed be able to purchase it over a period of time.
Some of the vulnerabilities pop out during our pentest in vagari are
We pinpoint potential avenues of network attack where access might be gained through internet-connected servers or network equipment by individuals outside of Vagari which lack appropriate rights or credentials.
We then conducted a mock attack to test security controls, developing and presenting with a cybersecurity assessment on findings along with solutions and recommendations that vagari can use to remediate the issue.
Trusted Hands Financial Services Private limited is a Kerala based Activities auxiliary to financial intermediation company. A consumer-focused financial services & tech platform that solves problem of discovery, shortlisting, application, management and servicing of bank loans, borrowing options. Trusted Hands Financial Services (THFS) will change the way customers take and manage loans. THFS will enable customers to acquire their financial freedom, with right choice at the right time.
Requirement : Internal / External Pentesting, Vulnerability Assesmement, Solution
The Customer needed to test the security controls deployed within their IT infrastructure.
Offenselogic team conducted black box penetration testing of the external perimeter of the Customer’s network. The ethical hackers didn’t manage to penetrate the network with no credentials, so they proceeded with the grey box testing method using user login details but having no access to the entire network. Grey box penetration testing revealed a vulnerability of the Customer’s remote server to external manipulations.
Our security engineers scanned the Customer’s internal network for vulnerabilities and exploited the discovered vulnerabilities using the grey box penetration testing method. They discovered a server using the obsolete HTTPS protocol, which was critical for the banking environment storing clients’ data.
The Customer received detailed reports of the conducted network vulnerability assessment, penetration testing, and the security risk assessment of the client digital channels with recommendations to mitigate the discovered vulnerabilities. After fixing all the issues according to the provided remediation plan, the Customer ran retesting, which showed the increased security level of the network’s external perimeter and internal environment.
MotoNerdz provides access to global motorcycle accessories, parts, and superbike service at an affordable rate. They have their website as well as an online portal for selling parts and accessories.
The main requirement from Motonerdz was protecting customer and protection for their payment gateway in their sales portal. The type of challenge we faced was to provide complete data protection both at rest and in transit based on GDPR and implementing a much secure sales portal with compliance to PCI DSS.
We conducted security checking of their website and sales portal in accordance with the industry specific checklists. We also did a thorough security scan of their cloud architecture. We have found out many vulnerabilities including some of OWASP Top 10 in their website and sales portal. We have given the client covering all the vulnerabilities with proof of concepts. We have classified the bugs based on their severity and set a time for fixing each bug, our team combined with the development team worked on fixing the bugs.
For protecting the data privacy, we have discovered and classified the sensitive according to industry standards such as PCI DSS, GDPR etc. And we have enabled proper access control to avoid any unauthorized access. We have implemented proper encryption of all sensitive data so that, even if they are stolen the data should be secure. For payment gateway, we have implemented RBI guidelines and international compliances to make each transaction secure and protect user data including personal details, card details, account number etc. After all the activities was completed, our team re-audited the website, sales portal, and cloud again to check whether all the vulnerabilities are fixed perfectly or not.
Innovation Incubator is industry’s first to offer a unique model of combining technology partnership, incubation, and domain/tech acceleration capabilities for founders. Combining state of the art services with access to a global ecosystem allows us to create the next big start-up or product.
As a very reputed company, they want their website and cloud data to very secure and available all time. Also, they want to make sure that their website is free from OWASP Top 10 vulnerabilities.
Our challenge was to test the website for OWASP top 10 vulnerabilities and to fix for all possible threats as per international standards within stipulated time.
We started black box and white box penetration testing of the entire website and cloud infrastructure based on industry centric security checklists. After the testing we found out many vulnerabilities in both website and cloud infrastructure which can be categorised into critical, high, medium, low as per their severity. We created detailed reports for addressing vulnerabilities with proof of concepts.
Almost all the vulnerabilities identified was related to insecure coding practices. So, we have provided each Severity type with a certain time under which that issue should be fixed. During that period our team was frequently supporting the developers to fix those issues quickly. After the fix was completed, our team re-audited the website and cloud again to check whether the fixes are done perfectly or not.
Direign investigate various businesses, as well as their digital tools and methods to explore and transform the industry radically. They help to deliver enhanced user experience, performance, and value with lots of novel ideas. Currently they are having different products like 1000x, creative commerce and eDiscovery in different domains like Marketing and influence, Commerce and Education respectively.
Direign want their website and cloud infrastructure and also their products to be secure in every way. The challenges we faced were since the products of Direign were in different domains we need to check different compliance check for different products including GDPR, PCI DSS etc. and implementing availability of the website and products all the time preventing all type of ddos attacks.
We conducted security testing of entire website, cloud and backend along with their different product portfolios. We were able to uncover many business-critical vulnerabilities and that were reported properly with poc. For configuration and code changes we have worked closely with the development team. We have addressed the data security issues by implementing proper segmentation of sensitive data and implementing DLP solutions. After completing all the testing, reporting and fixing activities we reaudited the website and cloud infrastructures along with their products to make sure all the vulnerabilities are fixed.
Agdhi is an agri-tech startup company which leverages artificial intelligence, machine learning, photometry and computer vision technologies to offer efficient methods for seed classification and seed quality analysis. The products offered by Agdhi are Seedvision and Planto. With SeedVision, each seed is analysed for its phenotypic character with the help of ML algorithms that predicts the yield outcomes, analyses seed health insight, and take action based on the insights. Planto is a mobile platform, backed by the learnings from the crop level data mapped by a plant’s entire life cycle. Planto will help farmers in the early detection of potential crop damage, and provide analysis and suggestions to farmers on the health of the crop.
There were many security issues with the website, apk’s, cloud infrastructure, github repo’s of Agdhi. One of their main concerns was about the client data both at rest and in transit should not be leaked or hacked in any ways, which was a business-critical requirement. Then another important requirement was their website, apk’s, cloud infrastructure and github repo’s, payment gateway should be properly secured and free from OWASP Top 10 and other general security vulnerabilities. Then another requirement from them was about SeedVision standalone solution which is placed on client’s side and how secure when it will connect to internet at client-side, whether any man-in-attacks is possible when clients connect to server using client-side internet, data at rest in both device and server and over all infrastructure security.
We started working on their requirements by conducting custom made and detailed penetration testing based on international standards like OWASP Top 10, OSSTMM, NCCI-CCI etc for their entire infrastructure which includes- website, admin-panel, cloud, apk’s, github repo’s, payment gateway and find out many critical vulnerabilities including host redirection, information leakage in url’s, clear text data traffic, insecure tls connections, insufficient or insecure cryptography, sql injection and csrf in github repo’s etc.
We provided them with a detailed solution with necessary configuration and code changes to make to avoid general security vulnerabilities. For protecting the data privacy, we have discovered and classified the sensitive according to industry standards such as PCI DSS, GDPR etc. We implemented next generation firewalls to exclude any undesirable traffic entering the network. For deeper level packet inspection on network traffic, we have implanted IDS. Also implemented DLP solutions to make sure that sensitive data is not deleted, removed, moved or copied. And we have enabled proper access control mechanisms to lock the system if any malicious or unknown usage occurs. We have implemented proper encryption of all sensitive data so that, even if they are stolen the data should be secure. For payment gateway, we have implemented RBI guidelines and international compliances to make each and every transaction secure and protect user data including personal details, card details, account number etc. We have implemented SDP with Zero Trust Network to provide entire Agdhi’s infrastructure security.
Familheey is a mobile app that enables individuals to connect, engage and grow. Familheey’s focus on communities makes it an ideal platform for non-profit organisations , working on more community-based projects in India and abroad. It also helps doctors and healthcare workers to fight against the pandemic with the support of communities. Familheey enables you to stay connected with your personal, professional and social network.
Familheey sought Offenselogic team to evaluate the overall security of certain web applications and check whether their customers’ sensitive information was properly protected.
To carry out high-quality, comprehensive testing of the web applications, Offenselogic’s penetration testers used the OWASP Top 10 methodology. This methodology allows for identifying the most critical security flaws of web applications, as well as provides a detailed guidance on how to eliminate detected vulnerabilities. To ensure accurate results, Offenselogic’s team used both manual and automated testing tools and techniques.
During the test, Offenselogic’s specialists applied a range of testing methods to evaluate the resistance of the web apps against SQL injections, cross-site scripting and cross-site request forgery, as well as to detect security misconfigurations, components with known vulnerabilities, invalidated redirects and forwards, and more. The pentesters also performed sophisticated brute force attacks to check the reliability of authentication security controls.
Penetration testing revealed several vulnerabilities that fell into 4 categories as defined in the OWASP methodology. To help the Customer patch these security gaps, Offenselogic provided a list of feasible measures to restore the required level of security and customer data protection in the shortest period of time.
Offenselogic’s experts drew up a detailed remediation plan and recommended the Customer to focus on the authentication and data validation issues as fundamental for protecting sensitive information.
MedRabbits is a Home Healthcare service provider, which offers services within the customer’s home which can be booked either through the mobile app, Business WhatsApp or by calling the customer-care team. The company also offered home quarantine packages which consist of various services like doctor consultation, physio and nurse consultation, remote monitoring device subscriptions, etc.
Due to the critical nature of the healthcare environment, the operation of the appropriate healthcare applications must meet certain requirements associated with the protection of privacy, confidentiality, and integrity of sensitive patient information. User data collection was a concern, it should not be leaked or hacked in any ways, which was a business-critical requirement.
Using OWASP-aligned static and dynamic analysis techniques, the Offenselogic team found that Medrabbits android app contained many vulnerabilities. We started working on their requirements by conducting custom made and detailed penetration testing based on international standards like OWASP Top 10, OSSTMM, NCCI-CCI etc for their entire infrastructure and find out many critical vulnerabilities. Data storage is one issue, this app stores information in SharedPreferences, which leaves unencrypted data readily readable and editable by attackers and malicious apps. Misconfigured databases, poor encryption, insecure data storage and access are few of vulnerabilities found, which helps sensitive data to extract easily.
We provided them with a detailed solution with necessary configuration and code changes to make to avoid general security vulnerabilities. For protecting the data privacy, we have discovered and classified the sensitive according to industry standards such as PCI DSS, GDPR etc. We also follow Common standardization that is widely accepted i.e. HL7 and HIPAA to achieve interoperability in healthcare applications need to cooperate for the welfare of all people involved.
We also provided white-box cryptography solutions that strengthen and protect cryptographic keys, data protection solutions and network security solutions, that when combined, create multiple levels of security to make it really difficult for a hacker to break in. We also implemented DLP solutions which in turn prevents data leaks, data loss and data theft . Also provided Software Defined Perimeter solutions, which are devised to limit access to resources only to authorized users, offer cybersecurity and access management.