Skip to main content
Testing Network and Web App Security with Local Government

About the Client

The client is a local government, including the administration and representatives of their East Coast district.

Web Application Penetration Test

Objectives

The primary objective of the Web Application Penetration Test was to identify common vulnerabilities, such as those in the OWASP Top 10, as well as review the server for misconfigurations that might add risk to the environment. The test was conducted on a single web application.

Findings

Testing identified multiple vulnerabilities ranging from Medium to Low severity. Findings included a known cross-site scripting (XSS) vulnerability which could be exploited by sending a malicious link to a victim. Additional findings revealed an HTML injection vulnerability in a credit card processing form. An attacker could use this vulnerability to force the server to send a malicious web page.

Internal Network Penetration Test

Objectives

The primary objective of the Internal Network Penetration Test was to identify common vulnerabilities, such as those found in the PTES technical guidelines, as well as review the server for any misconfigurations that may add risk to the environment.

Findings

The test gave the client information regarding what a bad actor could do if they were to get on their network (i.e., through phishing attacks or insider threats). Specifically, as a result of testing, various vulnerabilities were identified, ranging from high to medium risk levels.
Included in the findings was Remote Code Execution (RCE) which allowed arbitrary commands on the server. Additionally, an unsupported operating system was found to have multiple vulnerabilities that could lead to a Denial of Service (DoS). It included Plaintext logins, which would allow adversaries onto the network to sniff the traffic and read the user credentials. Additional findings showed the utilization of out-of-date versions that could allow for the enumeration of usernames.

External Network Penetration Test

Objectives

The primary objective of the External Network Penetration Test was to enumerate Internet-facing ports and services and identify flaws and misconfigurations through manual and automated testing techniques.

Findings

As a result of testing, multiple vulnerabilities were identified across the IP addresses provided in the test scope. The highest severity issue pertained to SMTP Email Address Enumeration, where an adversary could validate employee email addresses based on server response messages. The other identified vulnerabilities relate to the support for out-of-date protocols on multiple systems and a self-signed certificate on one system.

Key Takeaways

Our team was able to walk the client through their reports which outlined suggested recommendations in order of importance to help them mitigate these vulnerabilities for a more empowered security stance. Every engagement with RedTeam Security provides clients with:

  • A clear understanding of the effectiveness of their existing information security program, training, monitoring, and system updating to keep things current.
  • How well their vendors manage the security posture of networks and web applications (for those with a 3rd party IT vendor).
  • A statement of assurance to provide to their customers that they are doing everything they should to keep their data and systems secure.
  • Outlined areas of focus for improving their overall security posture.

All identifying information has been changed to protect our clients and ensure absolute confidentiality.

Company

Local Government

Headquarters

United States

Industry

Cities and Government

Services Received

Web Application Penetration Testing, Internal/External Network Penetration Testing
Schedule a Consultation Learn more about Schedule a Consultation

More Case Studies

Hear What Our Clients Are Saying

  • Friendly, Professional, and Knowledgeable
    "Saint Paul College hired Red Team consultants to perform Web Applications vulnerability scanning and assessment. It was one of best group of people I worked with - from beginning to the end. Everyone I worked with was extremely cooperative, friendly, professional, and knowledgeable. They understand IT security very well. They worked around our schedules, were available when we needed them, and always on time. My staff and I thoroughly enjoyed our relationship with them. The consultants were focused/committed, pointed out the vulnerabilities and worked with my team to remediate them. Red Team also gave us detailed report about each web application. In all, it was a great experience working with Red Team and we will not hesitate to hire them again if needed.

    -Najam Saeed, CIO, Saint Paul College, Saint Paul, MN

  • Reliable and Consistent Communication
    "I hired RedTeam to do both a Network Penetration test and a Social Engineering test on my organization. From start to finish in building our relationship and contract plan all the way through the execution of both of our tests they were helpful, insightful, proactive in reaching out to me, and thorough in their follow up. During the tests I was in constant contact with their testers, getting results as they discovered them along with the full and detailed report afterwards. They not only found my issues, but gave me a very helpful and detailed guide to remedy the issues afterwards. I am going to continue my relationship with them. If you are looking for network testing I cannot recommend them enough."

    -Trevor Keller

  • Highly Skilled Team
    "Contacted RedTeam to do a penetration test. I was very impressed with their ability to perform, not only from a vulnerability analysis, but true "Pen" test to identify REAL risks. Was very impressed with their highly skilled people and resources."

    -Donald Schleede

View all Reviews View all Reviews