The Healthy Mummy (THM) is an Australian e-commerce site focussing on health, beauty and fitness. THM is regularly featured in leading online and offline publications every single day including TV, magazines, newspapers, online sites, events and radio.
THM is heavily reliant on its web presence for its customer engagement and business model and thus was looking for a trusted security provider to conduct an external vulnerability and penetration testing assessment on a number of their websites spread across Australia and UK.
The 4 key objectives of the engagement were:
Identify security flaws present in its web applications.
Identify security vulnerabilities that could result in malicious attacker(s) to gain unauthorised access to THM website.
Baseline the level of security risk for THM’s web presence.
Remediate identified web application security flaws.
“We really value the flexible approach, and quick turnaround of the CyberDots team. They helped in surfacing & remediating our security challenges for our four Web Properties.”
Saurabh Bhola, Director – Digital Products & Analytics, The Healthy Mummy
CyberDots designed the assessment of THM websites and applications to evaluate the overall security posture of ‘TheHealthyMummy’.
CyberDots used a number of automated tools, manual testing techniques and its expertise, gained over a number of years of experience to accomplish the goals set forth for the assessment.
To address to the above four key areas of concern, the team at CyberDots performed the assessment in the following stages.
In this phase CyberDots gathered as much information about the applications and websites as possible. This was done via Open Source Intelligence (OSINT) and Internet foot printing techniques.
In this phase CyberDots investigated and listed automated as well as manual tools required for conducting a comprehensive penetration testing. CyberDots also documented and mapped the attack vectors to fulfil the deliverables to meet the four key objectives set at project initiation.
Our approach consisted of approximately 80% manual and 20% automated testing. Below is a list of some of the major areas that were tested for the scope of this project:
This phase consisted of employing white hat time intensive manual testing tactics to emulate a potential hacker. Exploitation included, but was not limited to: SQL injection, Command execution, LFI/RFI, lateral movement, privilege escalation, business logic flaws etc.
The final phase included documentation, analysis and reporting of all relevant information with screenshots and snapshots of all relevant details. Our primary objective was not just to find the vulnerabilities but also to highlight the root causes so that THM could ensure all security gaps were closed permanently.
CyberDots prides in providing our customer a complete security framework starting with risk assessment, security architecture; and all the way to logging, auditing, monitoring and alerting.