Case Study – Penetration Testing Crypto Currency Exchange

Recently we have performed a pentest for a crypto currency exchange site and below are the complete case study of the engagement.

Case Study – Penetration Testing Crypto Currency Exchange

Introduction:

This case study of a start-up company in India who have started Crypto currency exchange in Indian market.

Challenges:  

  • Client’s key business goal was to provide its customers with a safe and secure trading platform.
  • Our Client wanted assurance that the website and the mobile application was secure and contained appropriate security controls.
  • Client had provided crypto coins such as Bitcoin, Ethereum, and Litecoin & Ripple for trading on their platform.
  • Client expectation was to go beyond the basic proof of concept for identified vulnerabilities and they want to know if anyone can have access to wallets containing cryptocurrency in order to steal from them.

ISECURION’s Approach:

  • Combination of Black box & Grey box testing methodology was used to mimic all possible attack scenarios.
  • Identified all the entry points to the web & Mobile Platform.
  • Performed different scenarios based attacks on the exchange.

Results:

  • At the initial stage of testing we found that during KYC process in which an user can uploads documents such has AADHAR details was vulnerable to malicious file upload and we were able to execute shell code on the server.
  • While testing sql injection we found that USER-AGENT header was Vulnerable to blind sql injection which gave complete access to database.
  • During the Android Mobile Application testing we were able to bypass the login mechanism and access other user’s wallets and were able to transfer the crypto currency to our wallet.
  • User complete details such as Bank A/C no, IFSC code and complete details of users were stored in mobile in clear text.
  • Mobile application was Vulnerable to Two factor authentication bypass.
  • Users crypto currency were stored in hot wallet on the server it means your private keys are stored on server anyone who gets the private keys can steal your coins.

Benefits:

  • ISECURION minimized security risks by assessing the customer’s application vulnerabilities and recommended solutions with proven methods to enhance security.
  • The depth of coverage that was carried by the team and the deliverables submitted helped client to not only identify technical and process related vulnerabilities but also assisted them in knowing how to fix them.
  • Complied with all regulations, gained ability to focus on just the high-risk events and take immediate action.

In next blog we will be discussing on best security practices which are followed for  securing crypto exchange site.

 

About Manjunath NG,

Manjunath is an information security enthusiast and Director at “ ISECURION Technology and Consulting Pvt Ltd.”

7 thoughts on “Case Study – Penetration Testing Crypto Currency Exchange

    1. Hi Akshay,

      Approach note is combination of Web and business login flaws based on best practices for crypto exchange which we have developed.

      Regards,

      Manju

  1. We Want to Submit a High Quality Awareness Article for All Your Blockchain Users

    Hello,

    Just gone through your site and was wondering if you accept guest blog posting? We want to submit our top quality highly searched article on your website for all your crypto/blockchain users and in return we would want a reference link to our website.

    We are one of the leading DeFi wallet companies in Europe with the facility of card, wallet & exchange.
    Let us know if there is a way to submit guest posts on your website. We would love to submit our content piece on your website.

    Looking forward to your reply.

    Thanks & Regards,
    Team Eidoo

  2. Question from a complete noob in this world. Is there a specific regulation or governing body that requires crypto exchanges to pentest regularly? Hope this makes sense, thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.