sygic-citadelo

Assignment

Sygic entrusted us with testing the web application of their Sygic FleetWork product, from the viewpoint of a standard end-user. After discussion we agreed to conduct the testing based on the full scope of the OWASP Testing Guide methodology. This encompasses a broad spectrum of vulnerabilities that could allow an attacker to compromise the Client’s application.

Our solution

After agreeing on the scope and timing, two ethical hackers from Citadelo proceeded to systematically challenge the Client’s application with a combination of automated tools and manual testing.

The testing yielded several vulnerabilities and business logic implementation flaws, which would allow users to gain access and execute actions beyond the scope of their accounts’ intended permissions. Some flaws were not critical on their own, but a resourceful attacker would have been able to combine them and misuse them for nefarious purposes.

We reported these vulnerabilities both in person and in our detailed report. The report contains both non-technical explanations of the vulnerabilities found as well as detailed and documented examples of each found bug, steps needed to reproduce them, and recommendations on how to fix them. At an agreed-upon time, we conducted re-testing of the previously found vulnerabilities and included the results in the detailed report. We were pleased to see that Sygic heeded our recommendations and were quick to fix the issues in their application.

*“Our engagement with Citadelo was quick and professional, and their help in securing our applications enabled us to focus on developing new capabilities. The detailed testing report showed us how small problems can turn into serious difficulties and how to address them in our other applications.”

**Roman Huba, Product Manager, Sygic FleetWork

The client

Sygic Business Solutions is a specialized division of Sygic, developer of a state-of-the-art navigation application trusted by more than 130 million drivers worldwide.

Sygic Business Solutions develops a professional GPS navigation application with a well-documented SDK for easy integration with other solutions for mobile workforce management. Its portfolio includes its own web-based fleet and workforce management system, Sygic Fleetwork, and other geolocation-based products.

Sygic’s products are used by more than 1500 fleets in the fields of transport, expediting, and fieldwork, and in the automotive, public, and emergency response sectors.