Pulsedive Takes a Pentest

A summary of Pulsedive's third party web application pentest with Vector0: process, findings, and remediation efforts.

Pulsedive Takes a Pentest

We take user security and sustaining a culture of continuous improvement seriously. That's why Pulsedive recently engaged Vector0 to complete a third-party web application penetration test. Below, we share a summary of the process, findings, and remediation efforts.

Scope

In 2022, Pulsedive requested a source code-assisted web application security assessment by Vector0 for our production, development, and enterprise applications and supporting environments. The objective of the white-box pentest was to identify any potential vulnerabilities associated with Pulsedive's applications and supporting environments. The assessment included:

  • Pulsedive's frontend application
  • Community and Enterprise APIs
  • Backend ingestion code, and
  • Custom query language mapping ("Explore")

We provided Vector0 with full access to the web application, relevant code repositories, and Pulsedive's technical team for any questions or input throughout the assessment. We supplied three levels of account access to a deployed instance of our application, including an administrative view into backend logs, monitoring, and errors. Focus areas of the assessment included:

  • Authentication and authorization controls
  • Sensitive information leakage
  • Input validation and output encoding
  • Security misconfigurations and best practices
  • Encryption
  • Exposed administrative services or functions
  • Dynamic and static source code analysis

Findings

Based on the CVSS v3 framework, the report determined a "Moderate" overall risk. Vector0 discovered two significant findings, which were exploitable by user accounts with elevated access.

The findings included:

  1. Read permissions on file folders with sensitive information
  2. Missing input sanitization for an "administrator" account feature

Less severe bugs found by Vector0 included causing the application to freeze or throw errors by passing incorrect/bad data through the Pulsedive API. However, the team could not leverage these bugs to exploit Pulsedive's application. (Note from Pulsedive: thanks for the additional user testing insights!)

"With similar access (excluding the application source code) it would take a moderately sophisticated attacker with a high level of user permissions to exploit the application."

Remediation

Pulsedive remediated both findings based on Vector0's recommendations. During the subsequent retest, Vector0 validated that both were successfully remediated

"With this document Vector0 attests that we have conducted a web application security assessment against all systems and applications listed in the Scope section. All findings and weaknesses discovered during the assessment have since been remediated."

As a result of this engagement, Pulsedive strengthened our security posture and addressed previously unknown security weaknesses. Overall, the assessment helps our team reinforce development and engineering security best practices and validate areas of strength. In this effort to be transparent with our community, we hope to support a more open and communicative approach to continuous security improvement in the industry.