Techhaus: From Vulnerability to Victory with Penetration Testing

Discover how our experts secured the ActiUp digital ticketing system, helping Techhaus become a trusted ticket provider.

Techhaus Vietnam is a famous technology company in Southeast Asia specializing in providing technology solutions for health, sports and entertainment, helping users easily lead a healthier and more active lifestyle every day.

The ActiUp platform - a website specializing in distributing tickets to sports, entertainment, and music events belonging to Techhaus - encountered a serious vulnerability when allowing users to buy tickets for a music showcase without payment.

Realizing the urgency of addressing this situation, they decided to partner with CyStack, a cybersecurity company with expertise in identifying and mitigating cyber threats to enhance security ActiUp, protects customers' data and financial transactions.

The customer proactively came to CyStack and chose the Penetration Testing solution as well as sent additional requests to test the logic flow of event ticket sales.

Test object: Web application.

Our tests include:

• Configuration and Deployment Management Testing
• Identity Management Testing
• Authentication Testing
• Authorization Testing
• Session Management Testing
• Input Validation Testing
• Testing for Error Handing
• Testing for Weak Cryptography
• Business Logic Testing
• Client-side Testing
• API Testing

The standards that the CyStack team of experts use include:

• OWASP Testing Guide
• The Penetration Testing Execution Standard
• REST API security guidelines
• NIST SP 800-95

Technical information:

• Front-end: React, Next.js
• Back-end: PHP, unknown framework
• Reverse proxy: Nginx
• Deploy AWS cloud infrastructure
• Integrate analytics tools

Our working process:

• Planning and reconnaissance: Define the scope and objectives of the test, identify the target systems and networks, and gather information about the target environment (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
• Vulnerability analysis: Identify potential vulnerabilities in the target system using techniques such as vulnerability scanning, network scanning, and configuration review; test for common vulnerabilities such as 1-day flaws and CVEs.
• Exploitation: The pentester attempts to exploit one or more identified vulnerabilities in order to gain unauthorized access or compromise the system’s security.
• Post-exploitation: Maintain access to the compromised system and escalate privileges within the system, if possible.
• Reporting: Prepare a report that summarizes the testing process, the vulnerabilities identified, and the recommendations for improving the system’s security.

By strictly adhering to independent testing standards and applying advanced security measures, we helped the client identify and address vulnerabilities in a timely manner. This enabled them to avoid potential financial losses in future events and ensure a secure and reliable ticketing experience for users on their platform.

Through the penetration testing engagement, the team identified multiple security vulnerabilities across different severity levels and provided appropriate remediation recommendations. The solutions focused on strengthening authentication mechanisms, improving the security of critical business workflows, and hardening security configurations, thereby reducing the risk of fraud and enhancing the overall protection of the system.

Our Business Development and Security Engineering teams provided dedicated support to ensure the customer's security testing process went smoothly, in both paperwork and technical aspects. The process involves:

Business Development Team:

• Support processing paperwork according to customer deadlines, assuring the compliance and standards of the field.
• Coordinate with the internal team to focus on the project, and closely monitor the project implementation process to ensure the process set by the customer despite limited time.

Security Engineering Team:

• Enhanced access control capabilities to protect user data and maintain system integrity.
• Applied comprehensive security measures to mitigate risks arising from critical business workflows.
• Strengthened authentication mechanisms and hardened security configurations to improve the platform’s overall security posture.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 20,000 users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/

“After using CyStack's solution, ActiUp found vulnerabilities in the current product. I didn't really care about this before, but when it happened, I realized how important it is to protect my technology products. I will continue to invest in cybersecurity.” - Nguyen Hoang Tuan, General Director of Techhaus Vietnam.

“The uncontrollable number of distributed tickets and information leaks before opening the sales portal have left serious consequences for us. However, with CyStack's Penetration Testing solution, we are now more confident about our security system.” - Phan Gia Man Vy, Business Analyst Leader of Techhaus Vietnam.