Techhaus: From Vulnerability to Victory with Penetration Testing

Discover how our experts secured the ActiUp digital ticketing system, helping Techhaus become a trusted ticket provider.

Techhaus Vietnam is a famous technology company in Southeast Asia specializing in providing technology solutions for health, sports and entertainment, helping users easily lead a healthier and more active lifestyle every day.

The ActiUp platform - a website specializing in distributing tickets to sports, entertainment, and music events belonging to Techhaus - encountered a serious vulnerability when allowing users to buy tickets for a music showcase without payment.

Realizing the urgency of addressing this situation, they decided to partner with CyStack, a cybersecurity company with expertise in identifying and mitigating cyber threats to enhance security ActiUp, protects customers' data and financial transactions.

The customer proactively came to CyStack and chose the Penetration Testing solution as well as sent additional requests to test the logic flow of event ticket sales.

Test object: Web application.

Our tests include:

• Configuration and Deployment Management Testing
• Identity Management Testing
• Authentication Testing
• Authorization Testing
• Session Management Testing
• Input Validation Testing
• Testing for Error Handing
• Testing for Weak Cryptography
• Business Logic Testing
• Client-side Testing
• API Testing

The standards that the CyStack team of experts use include:

• OWASP Testing Guide
• The Penetration Testing Execution Standard
• REST API security guidelines
• NIST SP 800-95

Technical information:

• Front-end: React, Next.js
• Back-end: PHP, unknown framework
• Reverse proxy: Nginx
• Deploy AWS cloud infrastructure
• Integrate analytics tools

Our working process:

• Planning and reconnaissance: Define the scope and objectives of the test, identify the target systems and networks, and gather information about the target environment (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
• Vulnerability analysis: Identify potential vulnerabilities in the target system using techniques such as vulnerability scanning, network scanning, and configuration review; test for common vulnerabilities such as 1-day flaws and CVEs.
• Exploitation: The pentester attempts to exploit one or more identified vulnerabilities in order to gain unauthorized access or compromise the system’s security.
• Post-exploitation: Maintain access to the compromised system and escalate privileges within the system, if possible.
• Reporting: Prepare a report that summarizes the testing process, the vulnerabilities identified, and the recommendations for improving the system’s security.

By strictly adhering to independent testing regulations and applying advanced solutions, we helped our client detect and resolve vulnerabilities, provided timely response solutions. This helps them avoid financial loss in future events and ensures a safe and secure ticketing experience for users on their platform.

With Penetration Testing solution, we detected a total of 6 security vulnerabilities including: 1 critical, 2 high and 3 low.

How we fixed:

• Critical: Increase the complexity of the OTP string sent, ensuring only the user's unique email receives the OTP.
• High: Errors in the ticket purchase flow have been consulted and redesigned to help the flow operate safely, ensuring there is no fraudulent ticket purchase.
• Low: Harden existing security configurations for JSON Web Tokens (JWT), adding stricter token validity control mechanisms.

Our Business Development and Security Engineering teams provided dedicated support to ensure the customer's security testing process went smoothly, in both paperwork and technical aspects. The process involves:

Business Development Team:

• Support processing paperwork according to customer deadlines, assuring the compliance and standards of the field.
• Coordinate with the internal team to focus on the project, and closely monitor the project implementation process to ensure the process set by the customer despite limited time.

Security Engineering Team:

• Prevent unauthorized access to any user's ticket information, maintaining the integrity of users’ personal and transactional data.
• Employ advanced security measures to prevent the risk of exploiting vulnerabilities related to the flow of buying and selling tickets for entertainment events. This comprehensive approach ensures that every step of the process targets the right vulnerabilities.
• Enhanced security when using JWT as an authentication method. JWT is known for its effectiveness in security, and we have harnessed its capabilities to provide our client a robust authentication mechanism.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 20,000 users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/

“After using CyStack's solution, ActiUp found vulnerabilities in the current product. I didn't really care about this before, but when it happened, I realized how important it is to protect my technology products. I will continue to invest in cybersecurity.” - Nguyen Hoang Tuan, General Director of Techhaus Vietnam.

“The uncontrollable number of distributed tickets and information leaks before opening the sales portal have left serious consequences for us. However, with CyStack's Penetration Testing solution, we are now more confident about our security system.” - Phan Gia Man Vy, Business Analyst Leader of Techhaus Vietnam.