Blackbox and Graybox Penetration Testing for EBSI (APIs and Web Apps)

Hacken’s partnership with Europe’s first public-sector blockchain infrastructure, EBSI, is evolving. After successfully conducting a comprehensive smart contract audit last year, Hacken has now performed a proactive penetration test on EBSI’s APIs and web applications.

Our latest security assessment employed both black box and gray box testing methodologies, ensuring the platform’s security and integrity across multiple layers, including EBSI API endpoints, test and pilot environments, and the web app. With the courtesy of the EBSI team, we are excited to share this news with a wider audience.

First Public-Sector European Blockchain 

EBSI (European Blockchain Services Infrastructure) is an initiative founded by the European Commission and the European Blockchain Partnership, and in transition to the Europeum-EDIC, to provide a secure, decentralized platform for public sector blockchain applications. A major application is Verifiable Credentials, a Web3 framework of trust that makes information easy to verify and impossible to fake

Engagement Overview

Last year, Hacken conducted a large-scale smart contract audit for EBSI, which included a detailed review of the contract architecture, code integrity, and potential vulnerabilities. Building on this foundation, Hacken expanded its services in 2024 to perform a multi-vector penetration test. The decentralized application assessment focused on API endpoints, multiple environments such as test and pilot setups, and web components, including the trusted nodes list.

APIs and Web Applications Are Key Components of the EBSI Hub

The EBSI Hub serves as the central portal for accessing and managing the various EBSI services, including building, deploying, and interacting with blockchain applications. It supports developers, enterprises, and public administrations in leveraging the platform’s resources and APIs for various use cases like trusted document issuance, identity verification, and data traceability. The Hub connects apps to the immutable ledger, enabling them to read from or write to the immutable ledger through smart contracts. 

EBSI’s core technical services, including APIs, smart contracts, and the ledger, are hosted decentralized by a network of nodes across Europe. This ensures integrity and stability under EBSI’s governance rules and general conditions for node operators.

Testing Approach

Hacken’s pentest combined two pentesting methodologies for maximum effectiveness.

Black Box Testing: Our team performed an initial assessment without prior access to the internal configurations. This approach simulated an external attacker scenario to identify vulnerabilities that could be exploited from outside the system. 

Gray Box Testing: Following the black box phase, we were granted several roles with access, allowing for in-depth assessments and comprehensive analysis of system security gaps during the gray box testing. This hybrid approach ensured a comprehensive analysis of security gaps across the system.

Key Findings

In our security assessment, done solely by lead-level specialists, we confirmed adherence to best practices and discovered cybersecurity vulnerabilities and issues in the application’s source code, its deployment, and functionality (performing the intended functions).

The assessment identified several areas for improvement, including vulnerabilities, which the EBSI team fixed. All issues were categorized and mitigated in collaboration with the client, ensuring the platform’s robustness.

EBSI’s Feedback

Oscar Marimon Rius, EBSI’s Security Team Lead, shared his positive experience with Hacken’s methodology, emphasizing the user-friendly client portal and the efficiency of real-time report verification. “Regular security assessments are crucial, and partnering with skilled experts like Hacken ensures these efforts are effective and insightful. Their recommendations have greatly contributed to further strengthening the security of EBSI’s platform.” EBSI’s team appreciated the collaborative approach, noting Hacken’s team’s flexibility and expertise in managing both the pentest and the ongoing smart contract audit.

Follow @hackenclub on 𝕏 (Twitter)

Conclusion

Hacken’s comprehensive assessment has enhanced EBSI’s security posture, supporting its mission to provide a reliable and secure blockchain infrastructure for Europe’s public sector. By maintaining an agile and responsive testing process, Hacken continues to support all EU Member States, Norway and Liechtenstein, and the European Commission in building a resilient, trusted blockchain environment under the common European Blockchain Services Infrastructure.