Challenges
CyberGlobal UK was tasked with assessing the security posture of a critical web application.
Conducted over five days (March 17–21), the assessment followed PCI DSS compliance standards and focused on both authenticated and unauthenticated states.
The teams of experts performed thorough scanning using a combination of manual techniques and trusted tools like Burp Suite, Acunetix, Nessus, and Nuclei. Additionally, testssl, nmap, and sslscan were used to assess certificates and server configurations.
Key findings included the following:
| Severity Level | Vulnerability Description |
| High | Stored Cross-Site Scripting (XSS) |
| High | Malicious File Upload: Unrestricted Upload of File with Dangerous Types |
| Medium | Missing Rate Limiting Mechanism |
| Medium | Outdated Software: Usage of Old and Vulnerable JavaScript Library |
| Medium | User Enumeration Through Forgot Password Message Discrepancy |
| Low | Other low-risk vulnerabilities identified during testing |
| Informational | Informational findings relevant to security posture and improvement opportunities |
Despite the challenges, CyberGlobal UK’s detailed methodology provided precise vulnerability validation and actionable reporting. This empowered the client to improve their business’s security and remain compliant in one of the most heavily targeted industries.
Solutions
Following the penetration testing assessment, CyberGlobal UK proposed a set of targeted remediation steps to address the identified risks which included:
- Implementing consistent output encoding to reduce the likelihood of injection-based attacks.
- Redesigning application architecture to enforce safe, server-generated filenames while restricting allowed file types.
Additionally, input validation was strengthened across the board to make sure that only clean, expected data is processed. To further improve security, the team recommended limiting request frequency and applying tighter controls around user actions.
These combined efforts are designed to significantly reduce exposure and reinforce the overall resilience of the client’s web application.
Results
The security assessment revealed several high-risk vulnerabilities, including:
- Unrestricted file uploads, which could lead to remote code execution.
- Insufficient authorization controls, exposing sensitive data and functions.
- Inadequate input validation, increasing the risk of cross-site scripting (XSS) attacks.
After applying targeted fixes, such as stricter input validation, tighter file upload restrictions, and improved access controls, CyberGlobal UK concluded that the residual risk is minimal, based on the reduced severity and our experience with similar infrastructures.
Some key lessons that can be learned from this testing include:
- Validate and restrict file uploads rigorously.
- Enforce proper authorization checks on all endpoints.
- Use input validation and output encoding to prevent injection attacks.
- Apply security rules consistently at the server level, not just on the client side.
- Schedule regular assessments to stay ahead of emerging threats.
The client praised the assessment for its depth, clarity, and actionable recommendations, finding the entire engagement valuable and well-aligned with their expectations.