CoinEx

We express our gratitude to the CoinEx team for the collaborative engagement that enabled the execution of this Pentest.

CoinEx is a Centralized Exchange allowing users to deposit, trade, withdraw cryptocurrencies as well as use other features related to cryptocurrency trading.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Model Overview

This model outlines some key attack scenarios and security risks assessed during both manual and automated penetration testing of Gunzilla API.

Manual Testing Highlights

• Broken Access Control: Scenario: Manipulating user/account IDs in API requests to access or alter unauthorized data, potentially facilitating fund transfers.

• Authentication Issues: Scenario: Weak password policies, lack of multi-factor authentication, and reliance on outdated authentication libraries.

• Sensitive Information Disclosure: Scenario: API responses exposing private keys, wallet addresses, or KYC details.

• Rate Limiting Weaknesses: Scenario: Inadequate rate limiting enabling brute-force or denial-of-service (DoS) attacks, such as excessive OTP requests.

• Security Misconfigurations: Scenario: Exposed admin panels, use of default credentials, and verbose error messages revealing system details.

• Injection Attacks: Scenario: Unsanitized inputs allowing SQL/NoSQL injections or remote code execution.

• XSS & CSRF Vulnerabilities: Scenario: Injection of malicious scripts or forged requests leading to session hijacking and unauthorized actions.

• Race-Condition Exploits: Scenario: Exploiting timing flaws to manipulate transaction processes, such as double-spending.

Automated Testing Highlights

• Directory & File Enumeration: Scenario: Using tools like Dirsearch and FFuF to uncover exposed directories and sensitive configuration files.

• API Security Testing: Scenario: Automated scans (via Burp Suite) revealing broken access controls and insufficient rate limiting.

• Web Application Scanning: Scenario: Security scanners (e.g., Nessus, Nikto) detecting SQL injection, XSS, and misconfigurations.

• Security Header & Port Analysis: Scenario: Nmap scans indicating missing security headers (e.g., X-Frame-Options, HSTS) that could expose the application to clickjacking attacks.

• Injection Testing: Scenario: Tools like SQLmap identifying injection vulnerabilities in various endpoints.

Conclusion

The web application exhibited solid security posture, and the authorization matrix was implemented correctly.

CoinEx is a centralized cryptocurrency exchange allowing users to deposit, trade, withdraw their cryptocurrencies as well as participate in various types of other activities related to Web3 community.

The scope of the project includes the following URL:

Assets in Scope