Penetration testing for AI platform
Checking cybersecurity measures of an AI-powered writing tool
Software-as-a-Service (SaaS)
Penetration testing
4 weeks (+ regular checks twice a year)
Project Idea
The client partnered with Yellow to test their security posture through penetration testing. Our task was to audit all existing security measures, report vulnerabilities, and provide clear recommendations on improving defenses.
Project Idea
The client partnered with Yellow to test their security posture through penetration testing. Our task was to audit all existing security measures, report vulnerabilities, and provide clear recommendations on improving defenses.
Tech Stack
Leading vulnerability scanners and penetration testing tools
Manual testing techniques
Custom self-developed scripts
Real-world attack strategies based on frameworks like MITRE ATT&CK
We were responsible for
Performing an in-depth audit of the client’s defenses
Providing support and consultation for the team
Conducting ongoing security check-ups
Project Team
Two Senior Security Engineers
Project Manager
What is penetration testing?
The client project: What we faced
For four weeks, we conducted several security assessments, including multiple penetration tests on the Writer app and a Red Team exercise on their cloud infrastructure. During these tests, we identified several critical security challenges:
Cross-Site Scripting (XSS):
We discovered XSS vulnerabilities in the web app and browser extensions. These flaws could have allowed attackers to run malicious JavaScript code, potentially compromising user sessions and allowing access to sensitive data.
Server Compromise via XML Interpreter
This vulnerability allowed interaction with the server through the XML interpreter, and exploiting it could lead to server compromise.
Privilege Escalation and Unauthorized Access
During the Red Team engagement, we obtained employee credentials and were able to access internal company environments. With minimal initial privileges, we escalated our access to one of the environments, eventually gaining administrator rights to other services and the cloud infrastructure.
Paid Plan Restrictions Bypass
We identified a method to bypass restrictions on paid functionalities within the application, allowing access to premium features without proper authorization or payment.
AI Vulnerability
Our testing uncovered vulnerabilities related to the application’s AI functionalities.
Successful Phishing Campaign
We conducted a controlled phishing campaign and successfully obtained sensitive information and credentials from several employees.
Our solution
To address the security challenges we found, we took the following steps:
Performing in-depth audits of the web application, APIs, browser extensions, and desktop applications.
Providing detailed reports for each vulnerability, including risk assessments and step-by-step remediation guidance.
Working closely with client's development and security teams to ensure they fixed all issues correctly and on time.
Offering support and consultation throughout the remediation process to quickly address any challenges.
Suggesting enhancements to the customer’s SOC capabilities, like implementing advanced monitoring tools and regular training for the team to detect and respond to threats more effectively.
Results
Around 20 vulnerabilities were successfully eliminated (only 7 had low threat levels).
Each subsequent test revealed fewer issues.
The Writer application and its services are now considerably more secure.
The phishing campaign results prompted increased security training, improving employees’ ability to recognize and report suspicious activities.