Web & Mobile Pentest
Fintech Product - PCI DSS Compliance
Comprehensive security assessment of web and mobile applications for a fintech client, ensuring secure financial transactions and protection of user data, supporting annual PCI DSS compliance testing.
Project Overview
Industry
Fintech
Test Type
Web & Mobile Black-box Test
Duration
3 weeks
Challenges & Objectives
Challenge
Applications handling sensitive personal and financial data with complex business logic that could be exploited if not properly secured.
Objectives
- Test Black-box vulnerabilities for web and mobile platforms
- Focus on OWASP Top 10 and business logic flaws
- Validate mobile security: SSL pinning, encryption, data storage
Methodology
Attack Simulation
Simulated real attacker behavior on web and mobile
Tool-based Testing
Burp Suite, OWASP ZAP, and advanced manual testing
Mobile Analysis
Reverse engineering and secure storage validation
Business Logic Review
API security, authentication, and authorization testing
Key Findings (3 vulnerabilities)
Client Source Code Leak (CWE-204)
Mobile source code exposed, revealing API keys and business logic that could be exploited by attackers.
Business Logic: Users Can Change Email (CWE-471)
Users can change email without verifying old email or password, creating risk of account takeover.
Business Logic: Delete Signed-In User (CWE-840)
Users can delete accounts without confirmation or proper security checks, leading to data loss.
Value Delivered
PCI DSS Compliance
Ensured compliance for annual application testing requirements
Protected User Data
Identified code leaks and logic flaws protecting intellectual property
Secure SDLC
Integrated business logic testing for continuous improvement