Extsy

We express our gratitude to the Extsy team for the collaborative engagement that enabled the execution of this Pentest.

Extsy is a comprehensive cryptocurrency platform that enables users to swap, trade, buy and sell digital assets, and participate in raffles. Extsy offers features such as P2P trading, virtual cards, and the option to upgrade to Extsy Premium for enhanced services.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Model Overview

This model highlights key attack vectors and security concerns identified through both manual and automated penetration testing of Extsy’s staging web platform, APIs, authentication systems, and network architecture.

Manual Testing Highlights

Broken Access Control:

Scenario: Modifying user or account identifiers within API requests to gain unauthorized access to restricted data, possibly leading to unauthorized fund movements.

Authentication Issues:

Scenario: Weak password enforcement, absence of multi-factor authentication (MFA), and the use of outdated authentication libraries.

Sensitive Information Disclosure:

Scenario: API responses leaking private keys, wallet addresses, or personally identifiable information (PII) related to KYC processes.

Rate Limiting Weaknesses:

Scenario: Insufficient request rate restrictions, making the system susceptible to brute-force attacks or denial-of-service (DoS) attacks, such as repeated OTP request abuse.

Security Misconfigurations:

Scenario: Publicly accessible admin panels, default login credentials, and overly verbose error messages that disclose critical system information.

Injection Attacks:

Scenario: Failure to properly sanitize input fields, leaving the system vulnerable to SQL/NoSQL injection attacks and remote code execution.

XSS & CSRF Vulnerabilities:

Scenario: Malicious script injection or forged requests leading to unauthorized actions, session hijacking, or privilege escalation.

Race-Condition Exploits:

Scenario: Timing-based attack techniques used to manipulate transaction execution, potentially enabling double-spending or unauthorized fund withdrawals..

Automated Testing Highlights

Directory & File Enumeration:

Scenario: Tools like Dirsearch and FFuF revealing unprotected directories or configuration files containing sensitive information.

API Security Testing:

Scenario: Automated vulnerability scanning (e.g., using Burp Suite) exposing weak access controls and a lack of rate-limiting mechanisms.

Web Application Scanning:

Scenario: Security scanners such as Nessus and Nikto detecting injection flaws (SQLi, XSS) and improper security configurations.

Security Header & Port Analysis:

Scenario: Nmap scans uncovering absent security headers (e.g., X-Frame-Options, HSTS), increasing exposure to attacks like clickjacking.

Injection Testing:

Scenario: Tools such as SQLmap and Ghauri identifying injection vulnerabilities across multiple API endpoints.

Extsy is a comprehensive cryptocurrency platform that enables users to swap, trade, buy and sell digital assets, and participate in raffles. Extsy offers features such as P2P trading, virtual cards, and the option to upgrade to Extsy Premium for enhanced services.

Extsy provides a comprehensive range of other services, including P2P trading, AML checks, virtual card management, and participation in raffles. Users can enhance their experience by upgrading to Extsy Elite, which unlocks premium features such as increased cashback.

Extsy provides a user-friendly platform where users can seamlessly buy, sell, swap, and trade cryptocurrencies. It allows you to manage your wallet, track transactions, and access the best market rates.

The testing was conducted in the staging environment but all the fixes were deployed to production as well. Scope of the project includes the following.