How spriteCloud's Penetration Testing Enhanced GiftShift's Digital Defences

GiftShift addresses a major challenge faced by charities: Effectively reaching and engaging the younger generation. By offering a donation platform that is fast, flexible, and personal, GiftShift empowers younger donors to contribute in ways that resonate with them. Whether it's supporting environmental conservation or humanitarian aid, users can easily adjust their donation preferences to reflect the causes they care about most at any given time. 

GiftShift’s approach aims for meaningful partnerships with charities, ensuring a collaborative effort to make a positive impact. By aligning with organisations that share a vision for a better world, GiftShift amplifies collective impact. The company’s focus on tailoring donation experiences to the preferences of younger donors ensures that charities can connect with a new generation of donors, driving lasting social change.

Image of GiftShift's charities for donation
Image 1: Charities highlighted on the GiftShift platform.
No items found.

Background

In the modern charity landscape, trust is of great importance. For GiftShift, the stakes were high - they wanted to make sure that money transfers and data could not be exposed and altered by external attackers, especially given the sensitive nature of the causes they work with.

Giftshift approached spriteCloud towards the end of their development phase, as they were about to go live. It was clear throughout our scoping discussions, that a penetration test on their infrastructure was essential in the run-up to their launch event. We needed to confirm that no client data could be accessed, and their whole end-to-end flow was as smooth as possible. 

The Challenge: Building a Platform from Scratch

From the early scoping sessions one of the biggest potential problems GiftShift was facing became quite clear. As a startup, in order to effectively and efficiently develop the platform, using multiple microservices to outsource a lot of custom work is a viable solution. However, from a security perspective, this can create holes within the system.

Cons of using microservices in software development from a security perspective:

  • Managing security across many microservices increases complexity, leading to potential misconfigurations or gaps in protection.
  • Each microservice communicates via APIs, expanding the attack surface and requiring strong, consistent security policies across all endpoints.

But this doesn’t mean it’s all bad! Sometimes to save time and to optimise software, microservices are essential.

Pros of using microservices in software development from a security perspective:

  • Microservices enable better isolation of vulnerabilities, as each service is separated and can be secured independently.
  • Security updates can be applied to individual services without impacting the entire system, allowing for faster patching and response to threats.

As the complete setup of GiftShift had not been tested on the security and configuration side, and with their rising number of clients and transactions, they could become a bigger target for potential hackers. So, that’s where spriteCloud jumped in, to work together on a penetration test.

GiftShift's digital donation platform
Image 2: GiftShift's innovative digital donation platform.

The Execution

After scoping sessions and learning about the overall setup of the platform, we had an idea of where the key potential risks lay, and as a result, we adjusted our approach for the pentest. This led us to a few key scenarios that should be thoroughly secured in the system: 

  1. Testing of the donation flow: Ensuring that this part can’t be touched by external attackers will give GiftShift the confidence to scale further and get more collaborations with a wider variety of charities.
  2. Authentication: Knowing that you can’t gain access to someone else’s account, or see payment or personal information is key to complying with GDPR rulings, and mitigates any risk of data breaches which can cause huge reputation loss.
  3. Contact forms: As these forms are publicly accessible, there is a greater chance of multiple types of injection attacks. Knowing that your form is secure and not prone to any injection attacks is key to keeping your data secure and your platform up and running.
  4. Unauthorised data: This might be the biggest of them all. The biggest question is: “What can be reached from the public-facing assets?” By analysing and having insight into the workings of the application, we tried a variety of ways to gain backend information that we didn’t have prior access to. This way we could confirm that potential attackers would not be able to gain access to any valuable information.

Our Results

After running a four-day full hands-on grey box pentest on their public-facing assets, what were the results?

The actual findings cannot be shared, however, we can indicate that we were able to find four medium findings and one interesting informational finding. 

A developer’s goal is to not have any critical, high-priority issues, and given that most of the issues found were medium, we can say that the application was built really solidly.

In the post-execution follow-up call with GiftShift, spriteCloud provided GiftShift with solutions on how to fix the issues present in the platform. The GiftShift team was made aware of the potential risks these could pose, and the best next steps to take.

GiftShift has ever since picked up these findings and has increased its security posture against potential vulnerabilities.

Conclusion

The penetration test conducted by spriteCloud was a critical step in ensuring the security and stability of GiftShift’s platform. By identifying four medium-level vulnerabilities and one informational issue, the test confirmed that GiftShift’s system was built on a solid foundation, free from high-risk security threats. 

Feedback from GiftShift 

We are proud to have supported GiftShift ahead of its launch. We can’t wait to see the platform grow in the future, and for them to continue the positive impact they will have! 

Here is what John van Pijkeren, CEO of GiftShift and Jordy Dekker, CTO had to say about our work together:

“We are happy with the collaboration with spriteCloud. As a true partner, spriteCloud has immersed itself in GiftShift and our platform in a short time, has been very flexible, has thought along with us, has given us valuable insights, and has ultimately helped us very well to further develop our platform. I highly recommend spriteCloud to organisations facing challenges or opportunities in security or performance.”

- John van Pijkeren, CEO, GiftShift

“Due to the public exposure of our platform, securing information and ensuring the privacy of donors is essential. spriteCloud's research has shown us areas for improvement that we would never have discovered without them. With the professional help of spriteCloud, we have made our platform even more secure and guaranteed the safety of our donors and charities.” 

- Jordy Dekker, CTO, GiftShift

Want to ensure your website’s security? Email projects@spritecloud.com to get connected with our team.