Account-to-Server Takeover Test
A controlled external assessment turned separate warning signs into a verified account-to-server attack path and a prioritized plan for reducing risk before launch.

Industries
Consumer Commerce
Services
Vulnerability Assessment,
Penetration Testing
About the project
A consumer commerce platform preparing for launch needed to understand the risk behind earlier cloud credential exposure. One known exposure point had been corrected, but the public application, administrative functions, older content-management system, and previously exposed credentials warranted a broader external review. The client needed to know whether separate weaknesses could be combined into a larger compromise.
The stakes included unauthorized access to operational information, misuse of connected services, server takeover, and service disruption. The goal was to test the active environment safely, establish what an outside attacker could actually reach, and give the team a practical order for containment and repair.
What we did
- Vigilus mapped the internet-facing attack surface using custom Python tooling, passive discovery, network and TLS checks, route review, and manual browser and HTTP validation. Testing covered account creation, session behavior, API access, authorization controls, diagnostic exposure, and an older content-management surface from unauthenticated and low-privilege perspectives. Third-party services remained outside scope.
- Controlled exploitation connected the findings into an end-to-end path. A newly created outside account could reach management functions without the required permissions and then interact with a vulnerable server-side component to run a harmless operating-system command. This demonstrated server-level impact without accessing customer data, changing business records, or disrupting the service.
- The assessment also confirmed exposed application secrets, a usable cloud credential, weak session protection, detailed production errors, unintended business-data exposure, and outdated software. A read-only cloud identity check confirmed that the exposed credential was usable. All proof steps used harmless markers or read-only requests and followed strict safety limits, avoiding destructive changes, disruption, customer-data access, and testing of third-party systems.
- Vigilus delivered immediate containment guidance, cleanup steps for authorized test artifacts, and a prioritized remediation roadmap. Recommendations addressed identity verification, authorization, software updates, secret rotation, session protection, environment separation, and follow-on investigation. The external phase established the risk and repair order, but no formal retest was completed to verify that the findings had been fixed.
Technologies Used
Python
AWS

