Challenges
The CyberGlobal team encountered a range of technical and strategic challenges while testing a set of interconnected systems. The scope included three web applications, approximately 15 APIs, and one Docker container image.
These assets were verified externally and internally, using user credentials to simulate real-world access scenarios. All testing adhered to key compliance frameworks including NIST, OWASP, and HIPAA.
Over a four-week period, the CyberGlobal team conducted a focused penetration test on three web applications used by healthcare professionals and patients. Eighteen distinct security issues were identified, varying in severity from high to informational.
Notable risks included:
- insecure authentication mechanisms and insufficient brute-force mitigations.
- session persistence vulnerabilities (JWT-Based authentication).
- unfiltered file uploads.
- broken access controls (authorization bypass through direct HTTP request)
- Docker container was also found to rely on outdated, vulnerable dependencies.
To uncover these issues, the team tested all publicly accessible systems from an outside perspective, using accounts provided by the client to simulate real user activity. Using the OWASP Testing Guide, experts verified how users with different roles could access the system to spot issues like unauthorized access to data (IDOR).
Next, APIs were examined in detail to uncover security weaknesses, and virtual tools were set up to simulate how medical imaging systems behave in real time.
Lastly, the team reviewed how data protocols and workflows functioned to make sure everything operated securely.
A combination of industry-standard tools was used to enable a deep, thorough evaluation, including:
| Burp Suite + Extensions | Nuclei | Testssl |
| Authorize | Dalfox | GAU |
| Acunetix | NMAP | Nessus |
These findings were documented in a clear, actionable report designed to support swift remediation and future risk reduction.
Solutions
After identifying critical security risks in the healthcare organization’s systems, CyberGlobal took immediate steps to help the client strengthen their defenses, such as:
- applying software patches.
- updating outdated components.
- making key configuration changes to close known vulnerabilities.
These technical updates were essential in reducing the risk of exploitation.
To further reinforce protection, CyberGlobal introduced multi-factor authentication (MFA) to prevent unauthorized access, along with anti-automation measures to block brute-force and scripted attacks.
In collaboration with the client’s development team, secure coding practices were also recommended to prevent future vulnerabilities at the source. These combined efforts not only addressed existing issues but also helped create a more resilient and compliant security posture tailored to the healthcare sector’s unique needs.
Results
Following this comprehensive assessment, CyberGlobal discovered a serious weakness in one of the company’s medical applications. The login system relied only on a simple one-time password (OTP), and each patient had a unique URL that included their email address.
This setup made it easier for automated attacks to guess their way into patient accounts, given that no usernames or passwords were needed.
Because the client wanted to keep the OTP process, CyberGlobal recommended a safer approach, which included:
- adding stronger anti-automation protections, making OTPs harder to guess.
- removing email addresses from URLs.
- introducing two-step authentication.
These changes helped strengthen security without making the app harder for users.
The main lessons learned were the importance of using multi-step authentication, setting limits on how often sensitive information can be requested, and avoiding predictable link structures.
While the client was caught off guard by the issue, they valued the insight and took quick steps toward fixing it.
