Jeeto.Online is a dynamic, real-time gaming platform developed by Riseup Labs, offering users a variety of competitive, reward-based games. As the platform’s user base and financial transactions grew, securing it against potential threats became a top priority. After successfully developing Jeeto.Online, Riseup Labs’ QA team undertook structured Security Testing and Penetration Testing to ensure the platform’s resilience against security vulnerabilities, unauthorized access, and data breaches. The goal was to safeguard user information, financial transactions, and maintain the integrity of the gaming experience.
Objectives of Security Testing
Protect user data
Ensure secure authentication and authorization
Identify and mitigate potential vulnerabilities
Scope of Testing
Riseup Labs’ QA team performed a comprehensive security evaluation across key components of the Jeeto.Online platform.
Integrated Game APIs
We assessed the security of APIs that facilitate real-time gaming functions, ensuring all data exchanges remained protected from tampering or interception.
Developed Admin Dashboard
The admin dashboard was tested extensively to verify that sensitive administrative controls were accessible only to authorized users.
Implemented Payment Gateway Integration
Security testing covered the entire payment flow, ensuring that financial transactions were secure, properly encrypted, and met industry compliance standards.
Managed Game Score & Leaderboard
We validated the protection mechanisms for the scoring and leaderboard systems to ensure that game outcomes remained fair and free from manipulation.
Handled Database Interactions
The testing focused on protecting the backend database against SQL injection, unauthorized access and data leaks, and safeguarding critical user and system data.
Testing Tools Used
The tools used for security and penetration testing on Jeeto.Online:
OWASP ZAP: For vulnerability scanning and attack simulations
Burp Suite Pro: To intercept, inspect, and manipulate HTTP(S) traffic
Postman: For API-level security testing and validation
Nmap: To perform network scanning
Nikto: For scanning web servers to identify known vulnerabilities
Metasploit: To simulate real-world penetration attacks
JIRA: For logging, tracking, and managing discovered vulnerabilities
Challenges We Faced During Testing
We faced a range of challenges that could act as a security threat to user data and transactions.
Ensuring Log-in Security Without Any Hassle
Implementing strong authentication without compromising user experience seemed challenging.
>> A simple OTP-based login was missing
>> Managing session cookies and tokens posed a risk without proper configuration
Preventing Malicious Input from Damaging Database Integrity
>> Input fields were vulnerable to attacks such as SQL injection
>> Special characters and unusually long inputs exposed weak handling in the backend
>> OTP verification steps were prone to brute-force attempts
Blocking Malicious Scripts from Running in the User’s Browser
>> Fields lacked proper encoding and allowed the execution of unsafe scripts
>> Missing security headers made the browser environment susceptible to Cross-Site Scripting (XSS) attacks
Protecting Admin Features from Unauthorized Users
>> Access control for admin features was weak. URL manipulation and poor session handling opened pathways for non-admin users to reach restricted sections.
Ensuring Safe and Uncorrupted Financial Transactions
>> Payment processes allowed duplication and unauthorized modifications of transactions
>> Sensitive financial data lacked sufficient protection mechanisms
Preventing Vulnerability of Sensitive Data Through Open Endpoints
>> Several API endpoints were accessible without proper authentication
>> Score and leaderboard data could be tampered with
>> Real-time updates posed a risk of exposing sensitive information
Coordinating Across QA, Dev, and DevOps Teams Efficiently
>> Security tasks weren’t always integrated into the release pipeline
>> Vulnerabilities were sometimes left unresolved before deployment due to fragmented communication across teams
Problems Identified During Testing
Login Felt Secure but Frustrating for Users
Although the login process was secure, users found it confusing, and session cookies and tokens weren’t fully secured, risking user data.
Users Were Exposed to Unsafe Content
Some input fields allowed harmful scripts, and missing security headers increased the risk of user-targeted attacks
Didn’t Handle Harmful Input From Breaking the System
SQL injection vulnerabilities were present, and OTP fields were susceptible to brute-force attacks.
Regular Users Could Access Admin Features
Non-admin users could modify URLs to access restricted admin pages, and weak session handling made unauthorized access easier.
Financial Transactions Were Not Fully Protected
Duplicate or fake transactions were possible during testing, and some payment details could be tampered with.
APIs and Personal Data Were at Risk
Certain APIs lacked proper login requirements, and scoreboard data could be manipulated by users.
Security wasn’t Aligned With the Release Workflow
Security vulnerabilities were sometimes overlooked before release, and testing was occasionally skipped in automation.
Solutions We Have Suggested / Implemented
Riseup Labs has taken proactive steps to enhance the security posture of Jeeto.Online by implementing the following solutions:
>> Enforced strong password policies, added session timeouts, secured cookies, improved OTP flow, and limited OTP attempts
>> Applied strict input validation/filtering, output encoding, and tested for injection vulnerabilities and edge-case inputs
>> Used parameterized queries, input sanitization, and implemented server-side role validation and proper access restrictions
>> Tested for duplicate transactions, validated payment data, encrypted sensitive information, and logged all payment activities in the Admin Panel
>> Explored API endpoints, tested for unauthorized data access like score manipulation, and suggested encryption and rate limits
>> Added timestamp checks, signature validation, and tested for token theft and session hijacking
>> Pushed for CI/CD pipeline security checks and helped establish security-focused collaboration between QA, Dev, and DevOps teams
>> Used JIRA with severity tags, detailed replication steps, and video proofs for clear communication and faster issue resolution
Outcomes of this Testing
After implementing the enhanced security integrations, Riseuplabs has successfully handled the security and penetration risks of Jeeto.Online. Here’s an at-a-glance view of the outcomes of the security and penetration testing of Jeeto.Online conducted by Riseuplabs.
>> Reduced overall vulnerability score by 85% through structured remediation
>> Login tokens and sessions are now securely managed, reducing the risk of session hijacking
>> All input fields are now properly sanitized, blocking SQL injection and other harmful inputs
>> All user inputs and outputs are encoded, preventing script injection
>> Unauthorized users can no longer access admin features, even by manipulating URLs or sessions
>> Transactions are now encrypted, logged, and tamper-proof
>> Score submissions and leaderboard APIs are protected from tampering or abuse
>> App now handles crashes or network failures without losing data or breaking functionality
>> Score and transaction consistency are maintained even during interruptions
>> Ensured GDPR compliance and safeguarded user trust before going live
This page was last edited on 8 April 2025, at 5:52 pm
How can we help you?
