Security and Penetration Testing of Jeeto.Online

Jeeto.Online is a real-time, online gaming platform offering multiple competitive and reward-based games to users. Securing the platform became a top priority with its growing user base and financial transactions. Our QA team was responsible for ensuring the platform's resilience against security vulnerabilities and unauthorized access through structured Security Testing and Penetration Testing.

Objectives of Security Testing:

• Protected user data

• Ensured secure authentication and authorization

• Identified and mitigated potential vulnerabilities
  
  

Scope of Testing:

• Integrated Game APIs

• Developed Admin Dashboard

• Implemented Payment Gateway Integration

• Managed Game Score & Leaderboard

• Handled Database Interactions

 

Testing Tools Used:
The tools used for security and penetration testing on Jeeto.Online:

• OWASP ZAP: For vulnerability scanning and attack simulations

• Burp Suite Pro:  To intercept, inspect, and manipulate HTTP(S) traffic

• Postman: For API-level security testing and validation

• Nmap: To perform network scanning

• Nikto: For scanning web servers to identify known vulnerabilities

• Metasploit: To simulate real-world penetration attacks

• JIRA – For logging, tracking, and managing discovered vulnerabilities

Challenges we faced during Testing:

Ensuring Users Can Log in Securely Without Any Hassle: A major challenge is balancing security and usability

• Securing authentication methods like OTP verification must be implemented without making the process too complex for users

• Checking for vulnerabilities in login mechanisms

• Ensuring session tokens and cookies are securely stored and transmitted

Preventing Malicious Input from Damaging Database Integrity: Input fields are common entry points for attacks like SQL injection. 

• Validating input sanitization and encoding mechanisms

• Testing various input types like special characters, long strings to see how the backend handles them

• Preventing brute-force attacks on OTP inputs

Blocking Malicious Scripts from Running in the User’s Browser: Cross-Site Scripting (XSS) attacks can compromise user data and trust

• Checking input/output encoding

• Ensuring the use of security headers

Protecting Admin Features from Unauthorized Users: Administrative panels often hold sensitive controls. 

• Verifying that role-based access control is implemented correctly 

• Ensuring privilege escalation is not possible by manipulating URLs or requests

• Conducting session testing to confirm that restricted features are inaccessible to non-admins

Ensuring Safe and Uncorrupted Financial Transactions: Financial systems are prime targets for fraud.

• Verifying transaction integrity and tamper-proofing mechanisms

• Preventing payment duplication or manipulation

• Validating successful transaction logging and rollback mechanisms

• Ensuring all payment data is encrypted and PCI-DSS compliant

• Performing boundary testing on monetary fields to detect vulnerabilities like integer overflow or floating-point precision errors

Preventing Vulnerability of Sensitive Data Through Open Endpoints: APIs and endpoints expose sensitive data if not secured.

• Scanning open or misconfigured endpoints

• Checking proper authentication and authorization on all API routes

• Ensuring rate limiting and encryption are in place

• Preventing fake or tampered scores from being submitted

• Securing leaderboard APIs from unauthorized access or manipulation

• Ensuring real-time updates do not expose sensitive user data

• Blocking replay attacks or score resubmission

• Managing data consistency during app crashes or network failures

Coordinating Across QA, Dev, and DevOps Teams Efficiently:

• Integrating security testing early in the CI/CD pipeline

• Aligning development, QA, and operations on vulnerability management and patching workflows

• Sharing real-time insights from automated and manual security tests across teams

Problems Identified During Testing:

Login Felt Secure but Frustrating for Users:

• Although the login system was secure, users found it confusing and difficult to navigate

• Session cookies and tokens weren’t fully secured, risking user data

Users Were Exposed to Unsafe Content

• Some fields allowed harmful scripts that could run in a user’s browser

• Missing security headers increased the risk of user attacks

Didn’t Handle Harmful Input From Breaking the System:

• Users could unknowingly trigger issues like SQL injection

• OTP fields were vulnerable to brute-force attacks

Regular Users Could Access Admin Features:

• By modifying URLs, non-admin users could reach restricted admin pages

• Weak session handling made unauthorized access easier

Financial Transactions Were Not Fully Protected:

• Users were able to duplicate or simulate fake transactions

• Some payment details could be altered during the testing phases

APIs and Personal Data Were at Risk:

• Some APIs were open or didn’t require a proper login

• Scoreboards and leaderboard data could be manipulated by users

Security Wasn’t Aligned With the Release Workflow

• Security vulnerabilities weren’t always fixed before releases

• Testing was sometimes skipped in automation

 

Solutions we have suggested/ implemented:

• Enforced strong password policies, added session timeouts, secured cookies, improved OTP flow, and limited OTP attempts.

• Applied strict input validation/filtering, output encoding, and tested for injection vulnerabilities and edge-case inputs.

• Used parameterized queries, input sanitization, and implemented server-side role validation and proper access restrictions.
  
  

• Tested for duplicate transactions, validated payment data, encrypted sensitive information, and logged all payment activities in the Admin Panel.

• Explored API endpoints, tested for unauthorized data access like score manipulation, and suggested encryption and rate limits.

• Added timestamp checks, signature validation, and tested for token theft and session hijacking.

• Pushed for CI/CD pipeline security checks and helped establish security-focused collaboration between QA, Dev, and DevOps teams.

• Used JIRA with severity tags, detailed replication steps, and video proofs for clear communication and faster issue resolution.

Outcomes of this Testing:

• Reduced overall vulnerability score by 85% through structured remediation

• Login tokens and sessions are now securely managed, reducing the risk of session hijacking

• All input fields are now properly sanitized, blocking SQL injection and other harmful inputs

• All user inputs and outputs are encoded, preventing script injection

• Unauthorized users can no longer access admin features, even by manipulating URLs or sessions

• Transactions are now encrypted, logged, and tamper-proof

• Score submissions and leaderboard APIs are protected from tampering or abuse

• App now handles crashes or network failures without losing data or breaking functionality

• Score and transaction consistency are maintained even during interruptions

• Ensured GDPR compliance and safeguarded user trust before going live