Naffa Innovations Pvt Ltd

A P I S e c u r i t y Te s t i n g A s s e s s m e n t R e p o r t - T D

Date-13th-Feb-2025

Prepared By: RNR Consulting Pvt Ltd

Website: https://www.consultrnr.com//
Email: [email protected]

RNR Consulting Pvt. Ltd pg. 1

Table of Contents
1. Document Control................................................................................................................. 3
2. Statement of Confidentiality and Limitations.......................................................................4
3. Timelines............................................................................................................................... 5
4. Scope..................................................................................................................................... 5
5. Risk Rating............................................................................................................................. 6
6. Testing Methodology.............................................................................................................7
7. Information Gathering.......................................................................................................... 8
8. Executive Summary...............................................................................................................8
9. Assessment Overview........................................................................................................... 9
10. Vulnerabilities Details..................................................................................................... 10
11. Risk Evaluation and Conclusion......................................................................................15
12. Recommendation............................................................................................................15

RNR Consulting Pvt. Ltd pg. 2

1. Document Control

Document Name API Security Testing Assessment Report - TD

Report Version 1.0
Pen Tester Vatan Singh
Reviewer Shalu Yadav
Client Naffa Innovations Pvt Ltd
Vendor RNR Consulting Pvt. Ltd.

RNR Consulting Pvt. Ltd pg. 3

2. Statement of Confidentiality and Limitations
All information contained in this document is confidential and proprietary to RNR Consulting
Pvt. Ltd. and Naffa Innovations Pvt Ltd. Reproduction, disclosure or use of any information
contained in this document by photographic, electronic or any other means, in whole or part,
for any reason other than for the purpose of operations / API Penetration Testing of Naffa
Innovations Pvt Ltd. internal review is strictly prohibited without written consent.

It’s important to note that security assessments are inherently uncertain processes, subject on
past experiences, currently available information, and known threats. All information systems,
being dependent on human involvement, are vulnerable to some extent.

RNR acknowledges that it has identified the major security vulnerabilities in the API’s; however,
there is no guarantee that this assessment will uncover all possible vulnerabilities or provide a
comprehensive set of actionable recommendations for mitigating these risks. Additionally, this
analysis is based on the technologies and known threats present at the time of this report. As
both technologies and risks evolve, the vulnerabilities associated with Naffa Innovations Pvt Ltd
APIs and the measures required to address them will also change.

RNR does not commit to updating this report considering new circumstances or information
that may arise after its publication, unless a specific written agreement for supplemental
analysis is established.

LIMITED LIABILITY

The API’s Security assessment provides a snapshot of the current security problems of the APIs,
and it is limited in terms of time and personnel. Therefore, we cannot provide a 100% guarantee
that the system will stay secure over time.

RNR Consulting Pvt. Ltd pg. 4

3. Timelines
Assessment Start Date 13th Feb 2025
Assessment End Date 17th Feb 2025
Environment Production
Assessment Type Black Box

4. Scope
Project Name Activity APIs
TD API Security Notify.tonetag.com
Testing

RNR Consulting Pvt. Ltd pg. 5

5. Risk Rating
S.No Risk Rating Description
This level of vulnerabilities can allow attackers to take complete control
mobile applications and application servers. By exploiting these
vulnerabilities attacker could carry a range of acts includes information
1 Critical stealing, application defacing and tricking users to do unwanted
activities. The vulnerability marked as “Critical” is recommended to be
handled with utmost priority.
This level of vulnerabilities indicates maximum risk associated with a
vulnerability instance. Such vulnerability can allow attackers to
completely compromise the mobile applications and its data. Attacker
2 High can modify application in such a way that it behaves other than it is
intended to do. The vulnerability marked as “High” should be mitigated
at the earliest after “Critical risk” vulnerabilities are mitigated.
Such vulnerability may enable an attacker to exploit the application and
its data to a particular level so that the attacker can gain low level
information about the application. Such information can be used by an
3 Medium attacker to craft more specific attacks based on the information
collected. The vulnerability marked with “Medium Risk” should be
mitigated at the earliest after “High Risk” vulnerabilities are mitigated.

Such vulnerability may allow an attacker to gain some information about

the application which was not intended to be known otherwise. The
attacker may not have exploiting techniques available at that instance
4 Low based on the information revealed by the system. The vulnerability
marked with “Low Risk” can be mitigated soon after high and medium
risk vulnerabilities are mitigated.

RNR Consulting Pvt. Ltd pg. 6

6. Testing Methodology
RNR follows recommended approach to web/APIs security testing, helping organizations ensure
that their applications are secure from common vulnerabilities and attacks.
 Preparation: Define the scope, objectives, and rules of engagement for the testing process.
 Information Gathering: Collect data about the application architecture, technologies used,
and potential attack vectors.
 Vulnerability Assessment: Identify and categorize vulnerabilities using both automated
tools and manual testing techniques.
 Exploitation: Attempt to exploit identified vulnerabilities to assess their impact and severity.
 Reporting: Document findings, including vulnerabilities, risk assessments, and remediation
recommendations.

Testing Categories
 Authentication Testing: Evaluates user authentication mechanisms, such as password
strength and multi-factor authentication.
 Session Management Testing: Assesses how sessions are managed, including session
fixation and expiration.
 Access Control Testing: Checks for proper implementation of authorization controls,
ensuring users can only access permitted resources.
 Input Validation Testing: Tests how the application handles user inputs to prevent injection
attacks and data corruption.
 Error Handling Testing: Analyses how errors are reported and handled, ensuring sensitive
information is not exposed.
 Cryptography Testing: Evaluates the implementation of encryption and secure data storage
practices.
 Business Logic Testing: Focuses on identifying vulnerabilities that arise from the
application’s business processes.

Tools & Techniques

 Nikto
 Burp Suite Pro
 Kali Linux
 Postman

RNR Consulting Pvt. Ltd pg. 7

7. Information Gathering
Information gathering is a crucial phase in the security assessment process, where details about
the target web application and its environment are collected. This step helps identify potential
vulnerabilities and understand the attack surface.

Objectives

 To collect data that aids in identifying weaknesses in the web application.

 To understand the architecture, technology stack, and dependencies of the application.
 To prepare for subsequent testing phases, such as vulnerability assessment and
penetration testing.

Here is the sample

IP Address: 15.207.174.1
Domains: notify.tonetag.com

RNR Consulting Pvt. Ltd pg. 8

8. Executive Summary
RNR has performed API security testing. The goal of this assessment was to uncover any
vulnerabilities in the information system that could lead to unintended access. Additionally, it
aimed to evaluate the likelihood of an attacker exploiting these vulnerabilities and the potential
impact on Helix if such an exploitation were to occur.

RNR performed the testing and prepared the report as per identified vulnerabilities. The
security assessment included a thorough vulnerability scan, penetration testing. The evaluation
focused on key areas such as authentication mechanisms, data handling, and input validation.

The assessment was conducted in accordance with the guidelines established by various
standards and frameworks, including NIST, ISO/IEC, Cyber Security Audit Baseline
Requirements, the Open-Source Security Testing Methodology Manual (OSSTMM), and the
OWASP Web Security Testing Guide. Additionally, all tests and actions are executed under
control conditions.
RNR got the access to the API’s and conducted the assessment November 08th, 2024, to
November 15th, 2024. The identified vulnerabilities are further tested for possible exploits in a
controlled environment and manner which is not intrusive.

This report provides the detailed assessment of the given scope and identified vulnerabilities
are outlined below with their risk severity and impact.

9. Assessment Overview

S. Application
Assessment URL Critical High Medium Low Total
No Name
1 ToneTag https://notify.tonetag.com 0 0 0 2 2

RNR Consulting Pvt. Ltd pg. 9

 Vulnerability Summary

Low
2

Critical High Medium Low

10. Vulnerabilities Details

S.No Vulnerability Name Severity
1 Service exposure (AWS Load Balancer Exposure) Low
2 Missing Security Headers Low

1. Service exposure (AWS Load Balancer Exposure)

Vulnerability Service exposure (AWS Load Balancer Exposure)
Severity Low
Affected URL https://notify.tonetag.com/api/v1/idfc/send_pod_notification
AWS Load Balancer exposure occurs when an internet-facing load
balancer is improperly configured, allowing unintended access to
backend services. This can result from.
 Misconfigured security groups or ACLs.
Description  Unrestricted listener rules (e.g., allowing traffic from 0.0.0.0/0
without restrictions).
 Exposing non-public services (e.g., internal APIs, databases) to
the internet.
 Weak authentication mechanisms on the exposed endpoints.
Impact  Unauthorized Access: Attackers can exploit exposed services

RNR Consulting Pvt. Ltd pg. 10

 to gain unauthorized access to internal resources.
 Data Exposure: If sensitive APIs or services are publicly
accessible, confidential data may be leaked.
 Increased Attack Surface: Publicly exposed services may be
targeted by automated scanners, bots, or malicious actors.
 Denial of Service (DoS): Public-facing load balancers can be
flooded with traffic, disrupting service availability.

Assessment POC

 Restrict Access with Security Groups & NACLs

 Use AWS WAF & Shield
Recommendation  Enable Authentication & Authorization

RNR Consulting Pvt. Ltd pg. 11

 2. Missing Security Header
Vulnerability Missing Security Headers
Severity Low
Affected URL https://notify.tonetag.com/api/v1/idfc/send_pod_notification
Security headers are HTTP response headers that help protect web
applications from various attacks, such as clickjacking, cross-site
Description scripting (XSS), and MIME-type sniffing. If these headers are missing
or misconfigured, attackers can exploit vulnerabilities in client-side
interactions. Common missing headers include
 Man-in-the-Middle Attacks (MITM): Without HSTS, attackers
can downgrade HTTPS connections.
 XSS & Code Injection: Missing CSP allows attackers to inject
malicious scripts.
Impact
 Clickjacking: Attackers can trick users into clicking hidden
buttons on a maliciously framed site.
 Data Exfiltration: Without proper headers, sensitive data may
be more susceptible to theft or unauthorized execution.

Assessment POC

Enforce HTTP Strict Transport Security (HSTS)

Recommendation Block MIME-type Sniffing

Prevent Clickjacking with X-Frame-Options

RNR Consulting Pvt. Ltd pg. 12

11. Risk Evaluation and Conclusion
RNR conducted the assessment and identified 0 High, 0 Medium and 2 Low vulnerabilities. The
organisation intact the process to get the assets security posture assessed on a regular basis to
identify any risk in proactive manner to avoid any risk exposure, which can lead to system
compromise. This assessment is limited to the provided scope and assessment duration.

Basis on the assessment and identification of the vulnerability and their severity the current risk
exposure is Low

12. Recommendation
Considering the findings identified during the assessment this is recommended that
organisation must deploy the fixes on immediate basis. Further limit the access to the assets
and provide only as per the organisation access control policy and need to know basis.

This is also recommended that organisation should follow the best practice like, secure coding
principles, secure design to mitigate the risk.

RNR Consulting Pvt. Ltd pg. 13

 Thank you
[email protected]
https://consultrnr.com/
+91 7678252326

RNR Consulting Pvt. Ltd pg. 14