The Project

An external web application penetration test of a finance and payments portal operated by a UK supply chain finance technology provider. The objective was to identify and assess vulnerabilities in the portal’s most sensitive functionality, focusing on the finance role and payment journeys across two user roles, with all testing performed safely against the live production environment.

BSS used a combination of automated and manual testing, following the OWASP Top 10 and the OWASP Web Security Testing Guide.

The Challenge 

In a portal that handles payments across multiple user levels, access control is the critical security boundary. A flaw that lets one user reach another user’s data, or a lower-privileged account perform finance functions, would undermine the integrity of the platform.

The client needed those boundaries tested rigorously, but the assessment had to run against the live production environment without disrupting genuine users or triggering real transactions, and within tightly defined scope boundaries agreed before testing began.

The Solution 

BSS began from an unauthenticated perspective, examining the portal’s exposed surface for vulnerabilities and misconfigurations, before moving to authenticated testing across both user roles.
The authenticated phase focused on injection vulnerabilities, privilege escalation and user access control, including cross-user access checks between the different user levels.

Testing combined automated scanning with manual techniques, structured around the OWASP Top 10 and the OWASP Web Security Testing Guide, and was supplemented by limited infrastructure checks of the supporting environment. Manual testing was confined to agreed business hours, scope exclusions were strictly observed to protect live transactions, and a contingency phase was built into the engagement to accommodate any additional scope discovered during testing.

The Outcome 

BSS delivered a test report covering the assessed application, presenting the findings with supporting analysis and recommendations for remediation, formally accepted by the client’s stakeholders.

The client gained an evidence-based view of how its finance and payment functionality stands up to attack from both unauthenticated and authenticated perspectives, with particular clarity over how its user role boundaries withstand attempts at privilege escalation and cross-user access. The engagement demonstrated that thorough security testing can be carried out against a live production platform without disruption to the business it supports.