Try : Insurtech, Application Development

AgriTech(1)

Augmented Reality(21)

Clean Tech(9)

Customer Journey(17)

Design(45)

Solar Industry(8)

User Experience(68)

Edtech(10)

Events(34)

HR Tech(3)

Interviews(10)

Life@mantra(11)

Logistics(6)

Manufacturing(3)

Strategy(18)

Testing(9)

Android(48)

Backend(32)

Dev Ops(11)

Enterprise Solution(33)

Technology Modernization(9)

Frontend(29)

iOS(43)

Javascript(15)

AI in Insurance(39)

Insurtech(67)

Product Innovation(59)

Solutions(22)

E-health(12)

HealthTech(24)

mHealth(5)

Telehealth Care(4)

Telemedicine(5)

Artificial Intelligence(153)

Bitcoin(8)

Blockchain(19)

Cognitive Computing(8)

Computer Vision(8)

Data Science(23)

FinTech(51)

Banking(7)

Intelligent Automation(27)

Machine Learning(48)

Natural Language Processing(14)

expand Menu Filters

[Part 2] Web Application Security Testing: Top 10 Risks & Solutions

By :
7 minutes, 29 seconds read

In the previous article, we discussed risks and web application security testing measures for 5 types of attacks-

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Indirect object security reference
  5. Security misconfiguration

Link – Part 1

Now let’s continue with the remaining 5 web application security threats.

6. Sensitive data exposure

Broken authentication and inefficient session management leads to sensitive data exposure. Examples of applications vulnerable to sensitive data exposure.

  • Data stored in plain text, such as passwords or credit card data 
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code
  • Browser header caching sensitive data

I would suggest going through the part 1 of this series for in-depth knowledge about this vulnerability.

7. Cross-site forgery

Cross-Site Request Forgery (CSRF) or session riding- attacks, an attacker forces a victim to make an inappropriate web request such as a fraudulent bank transaction. For example, an attacker tricks the victim client into calling a banking function in a vulnerable page that transfers money from the victim’s to the attacker’s account. The victim triggers the attack by following an attacker’s link or visiting an attacker’s page. The vulnerable server page doesn’t recheck the authenticity of the victim’s request and allows proceeding the transfer.

The following steps detail the anatomy of a CSRF attack:

  1. The attacker finds a functionality in a web application that is vulnerable to CSRF.
  2. Attacker builds a link invoking the vulnerable function and by passing the required parameters, executes the attack.
  3. The Attacker then waits until the victim client authenticates with the vulnerable web application.
  4. Attacker tricks the victim client into following the malicious link.
  5. Victim client sends a forged request to a vulnerable server.
  6. Vulnerable server allows and executes the forged request.

For example, the link might look like this when the payload is to transfer money from the victim’s to the attacker’s account:

/makeTransfer?amount=1000&dest=attacker@attackersite.com

The following link sends an email titled ‘Hello’ to johny@example.com – 

/sendMail?to=johny@example.com&title=Hello&body=I+did+not+send+this

Basic test for cross-site request forgery

You can follow these test steps to test against CSRF bugs-

  1. Find a web application page that triggers/performs an action upon user request.
  2. Construct a page containing a link or redirect that sends a forged request to the application server. This link usually contains a tag such as an img or iframe with the source address pointing to the request.

<a href=”http://bank.com/transfer.do?acct=MARIA&amount=100000″>View my Pictures!</a>

<img src=”http://bank.com/transfer.do?acct=MARIA&amount=100000″ width=”1″ height=”1″ border=”0″>

  1. Note that the links above will generate a GET request. In order to test for POST requests you must create a page containing a form with the URL parameters passed as hidden input, and add a script to automatically submit the form:
 <form action=”http://bank.com/transfer.do” method=”post”>
     <input type=”hidden” name=”acct” value=”MARIA”>
     <input type=”hidden” name=”ammount” value=”100000″>
</form>
<script>
     document.forms[0].submit();
</script>
  1. Open an Internet browser and log in to the web application as a legitimate user.
  2. Open the page built in step 2 (follow the link if necessary).
  3. Confirm if the request was successful.
  4. Repeat test case for every application create/update/delete/mail action.

Expected result: the test fails if the application trusts and processes the forged request.

Also, attackers can manipulate cookies.

Another example,

Suppose, we allow users to post images on our forum. What if one of our users post this image?

<img src= “http://foo.com/logout”>

This is not really an image. But, it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

If our logout page was a simple HTTP GET that requires no confirmation, every user who visits that page would be immediately logged out.

Consider these examples of cross-site forgery: CSRF token leakage through Google Analytics, deleting account and erasing imported contacts, change any user ZONE, Add optional two factor mobile number

8. Missing function level access control

If the authentication check in sensitive request handlers is insufficient or non-existent, the vulnerability is Missing Function Level Access Control.

How to test for missing function level access control?

The best way to find out if an application fails to properly restrict function level access is to verify every application function-

  1. Does the UI show navigation to unauthorized functions?
  2. Are server side authentication or authorization checks missing?
  3. Are server side checks solely rely on information provided by the attacker?

Using a proxy, browse the application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, the My Organization application is probably vulnerable.

In one potential scenario an attacker simply forces the browser to target URLs. Consider the following (non-My Organisation) URLs which should require authentication. One also requires admin rights to access the “admin_getappInfo” page.

http://example.com/app/getappInfo

http://example.com/app/admin_getappInfo

If a non-authentic user (attacker) gets access to either page, then it means — unauthorized access was allowed. This flaw may lead the attacker to access more unprotected admin pages.

Example of missing function level access control atack – Delete Credit Cards from any Twitter Account.

9. Shellshock and Heartbleed attacks

Shellshock

It is a remote command execution vulnerability in Bash. A series of random characters, () { :; }; , confuses Bash because it doesn’t know what to do with them, so by default, it executes the code after it.

More on — manually exploiting shellshock vulnerability

Tools for checking Shellshock

Through command line:

To determine if your Linux or Unix system is vulnerable, type the following in the command line-

 env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
 vulnerable
 this is a test
 An unaffected (or patched) system will output:
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x’
           this is a test

Online tools – 

  1. Penetration testing tools
  2. Shellshock bash vulnerability test tool

Heartbleed

It is a critical bug in OpenSSL’s implementation of the TLS/DTLS heartbeat extension. It allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

An attacker can trick OpenSSL into allocating a 64KB buffer, copy more bytes than is necessary into the buffer, send that buffer back, and thus leak the contents of the victim’s memory, 64KB at a time.

Web application security testing tools for heartbleed attack

  1. defribulator v1.16 : Command→ python ssltest.py example.com (ssltest.py file is available with me)
  2. Online tool: Filippo
  3. For android, you can download Bluebox open SSL scanner

Also read – Heartbleed bug FAQs, Bugs and solutions

How to prevent heartbleed attack?

  • Upgrade the OpenSSL version to 1.0.1g
  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

Examples of Heartbleed security attacks: information disclosure on Concrete5, port 1433, server returning more data

10. Unvalidated redirects and forwards

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

It is possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

How to test unvalidated redirects and forwards?

Spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.

Web application security testing: preventing unvalidated redirects

  1. Simply avoid using redirects and forwards.
  2. If at all you’re using redirects/forwards, do not allow the url as user input for the destination. In this case, you should have a method to validate the URL.
  3. If you  cannot avoid user input, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  4. Map any such destination input to a value, rather than the actual URL or portion of the URL. Ensure that server side code translates this value to the target URL.
  5. Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
  6. Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Consider these examples: open redirect, open redirect in bulk edit

So, this was all about prevailing risks and web application security testing measures to prevent your website from attackers. For further queries & doubts, feel free to write to hello@mantralabsglobal.com

About the author: Rijin Raj is a Senior Software Engineer-QA at Mantra Labs, Bangalore. He is a seasoned tester and backbone of the organization with non-compromising attention to details.

Related:

Cancel

Knowledge thats worth delivered in your inbox

How Smarter Sales Apps Are Reinventing the Frontlines of Insurance Distribution

The insurance industry thrives on relationships—but it can only scale through efficiency, precision, and timely distribution. While much of the digital transformation buzz has focused on customer-facing portals, the real transformation is happening in the field, where modern sales apps are quietly driving a smarter, faster, and more empowered agent network.

Let’s explore how mobile-first sales enablement platforms are reshaping insurance sales across prospecting, onboarding, servicing, renewals, and growth.

The Insurance Agent Needs More Than a CRM

Today’s insurance agent is not just a policy seller—they’re also a financial advisor, data gatherer, service representative, and the face of the brand. Yet many still rely on paper forms, disconnected tools, and manual processes.

That’s where intelligent sales apps come in—not just to digitize, but to optimize, personalize, and future-proof the entire agent journey.

Real-World Use Cases: What Smart Sales Apps Are Solving

Across the insurance value chain, sales agent apps have evolved into full-service platforms—streamlining operations, boosting conversions, and empowering agents in the field. These tools aren’t optional anymore, they’re critical to how modern insurers perform. Here’s how leading insurers are empowering their agents through technology:

1. Intelligent Prospecting & Lead Management

Sales apps now empower agents to:

  • Prioritize leads using filters like policy type, value, or geography
  • Schedule follow-ups with integrated agent calendars
  • Utilize locators to look for nearby branch offices or partner physicians
  • Register and service new leads directly from mobile devices

Agents spend significantly less time navigating through disjointed systems or chasing down information. With quick access to prioritized leads, appointment scheduling, and location tools—all in one app—they can focus more on meaningful customer interactions and closing sales, rather than administrative overhead.

2. Seamless Policy Servicing, Renewals & Claims 

Sales apps centralize post-sale activities such as:

  • Tracking policy status, premium due date, and claims progress
  • Sending renewal reminders, greetings, and policy alerts in real-time
  • Accessing digital sales journeys and pre-filled forms.
  • Policy comparison, calculating premiums, and submitting documents digitally
  • Registering and monitoring customer complaints through the app itself

Customers receive a consistent and seamless experience across touchpoints—whether online, in-person, or via mobile. With digital forms, real-time policy updates, and instant access to servicing tools, agents can handle post-sale tasks like renewals and claims faster, without paperwork delays—leading to improved satisfaction and higher retention.

3. Remote Sales using Assisted Tools

Using smart tools, agents can:

  • Securely co-browse documents with customers through proposals
  • Share product visualizations in real time
  • Complete eKYC and onboarding remotely.

Agents can conduct secure, interactive consultations from anywhere—sharing proposals, visual aids, and completing eKYC remotely. This not only expands their reach to customers in digital-first or geographically dispersed markets, but also builds greater trust through real-time engagement, clear communication, and a personalized advisory experience—all without needing a physical presence.

4. Real-Time Training, Performance & Compliance Monitoring

Modern insurance apps provide:

  • On-demand access to training material
  • Commission dashboards and incentive monitoring
  • Performance reporting with actionable insights

Field agents gain access to real-time performance insights, training modules, and incentive tracking—directly within the app. This empowers them to upskill on the go, stay motivated through transparent goal-setting, and make informed decisions that align with overall business KPIs. The result is a more agile, knowledgeable, and performance-driven sales force.

5. End-to-End Sales Execution—Even Offline

Advanced insurance apps support:

  • Full application submission, from prospect to payment
  • Offline functionality in low-connectivity zones
  • Real-time needs analysis, quote generation, and e-signatures
  • Multi-login access with secure OTP-based authentication

Even in low-connectivity or remote Tier 2 and 3 markets, agents can operate at full capacity—thanks to offline capabilities, secure authentication, and end-to-end sales execution tools. This ensures uninterrupted productivity, faster policy issuance, and adherence to compliance standards, regardless of location or network availability.

6. AI-Powered Personalization for Health-Linked Products

Some forward-thinking insurers are combining AI with health platforms to:

  • Import real-time health data from fitness trackers or health apps 
  • Offer hyper-personalized insurance suggestions based on lifestyle
  • Enable field agents to tailor recommendations with more context

By integrating real-time health data from fitness trackers and wellness apps, insurers can offer hyper-personalized, preventive insurance products tailored to individual lifestyles. This empowers agents to move beyond transactional selling—becoming trusted advisors who recommend coverage based on customers’ health habits, life stages, and future needs, ultimately deepening engagement and improving long-term retention.

The Mantra Labs Advantage: Turning Strategy into Scalable Execution

We help insurers go beyond surface-level digitization to build intelligent, mobile-first ecosystems that optimize agent efficiency and customer engagement—backed by real-world impact.

Seamless Sales Enablement for Travel Insurance

We partnered with a leading travel insurance provider to develop a high-performance agent workflow platform featuring:

  • Secure Logins: Instant credential-based access without sign-up friction
  • Real-Time Performance Dashboards: At-a-glance insights into daily/monthly targets, policy issuance, and collections
  • Frictionless Policy Issuance: Complete issuance post-payment and document verification
  • OCR Integration: Auto-filled customer details directly from passport scans, minimizing errors and speeding up onboarding

This mobile-first solution empowered agents to close policies faster with significantly reduced paperwork and data entry time—improving agent productivity by 2x and enabling sales at scale.

Engagement + Analytics Transformation for Health Insurance

For one of India’s leading health insurers, we helped implement a full-funnel engagement and analytics stack:

  • User Journey Intelligence: Replaced legacy systems to track granular app behavior—policy purchases, renewals, claims, discounts, and drop-offs. Enabled real-time behavioral segmentation and personalized push/email notifications.
  • Gamified Wellness with Fitness Tracking: Added gamified fitness engagement, with rewards based on step counts and interactive nutrition quizzes—driving repeat app visits and user loyalty.
  • Attribution Tracking: Trace the exact source of traffic—whether it’s a paid campaign, referral program, or organic source—adding a layer of precision to marketing ROI.
  • Analytics: Integrated analytics to identify user interest segments. This allowed for hyper-targeted email and in-app notifications that aligned perfectly with user intent, driving both relevance and response rates.

Whether you’re digitizing field sales, gamifying customer wellness, or fine-tuning your marketing engine, Mantra Labs brings the technology depth, insurance expertise, and user-first design to turn strategy into scalable execution.

If you’re ready to modernize your agent network – Get in touch with us to explore how we can build intelligent, mobile-first tools tailored to your distribution strategy. Just remember, the best sales apps aren’t just tools, they’re growth engines; and field sales success isn’t about more apps. It’s about the right workflows, in the right hands, at the right time.

Cancel

Knowledge thats worth delivered in your inbox

Loading More Posts ...
Go Top
ml floating chatbot