Jeeto.Online is a dynamic, real-time gaming platform developed by Riseup Labs, offering users a variety of competitive, reward-based games. As the platform’s user base and financial transactions grew, securing it against potential threats became a top priority. After successfully developing Jeeto.Online, Riseup Labs\u2019 QA team undertook structured Security Testing and Penetration Testing to ensure the platform\u2019s resilience against security vulnerabilities, unauthorized access, and data breaches. The goal was to safeguard user information, financial transactions, and maintain the integrity of the gaming experience.<\/p>\n\n\n\n
Protect user data Riseup Labs\u2019 QA team performed a comprehensive security evaluation across key components of the Jeeto.Online platform.<\/p>\n\n\n\n Integrated Game APIs<\/strong><\/p>\n\n\n\n We assessed the security of APIs that facilitate real-time gaming functions, ensuring all data exchanges remained protected from tampering or interception.<\/em><\/p>\n\n\n\n Developed Admin Dashboard<\/strong><\/p>\n\n\n\n The admin dashboard was tested extensively to verify that sensitive administrative controls were accessible only to authorized users.<\/em><\/p>\n\n\n\n Implemented Payment Gateway Integration<\/strong><\/p>\n\n\n\n Security testing covered the entire payment flow, ensuring that financial transactions were secure, properly encrypted, and met industry compliance standards.<\/em><\/p>\n\n\n\n Managed Game Score & Leaderboard<\/strong><\/p>\n\n\n\n We validated the protection mechanisms for the scoring and leaderboard systems to ensure that game outcomes remained fair and free from manipulation.<\/em><\/p>\n\n\n\n Handled Database Interactions<\/strong><\/p>\n\n\n\n The testing focused on protecting the backend database against SQL injection, unauthorized access and data leaks, and safeguarding critical user and system data.<\/em><\/p>\n\n\n\n The tools used for security and penetration testing on Jeeto.Online:<\/p>\n\n\n\n OWASP ZAP:<\/strong> For vulnerability scanning and attack simulations<\/p>\n\n\n\n Burp Suite Pro: <\/strong> To intercept, inspect, and manipulate HTTP(S) traffic<\/p>\n\n\n\n Postman: <\/strong>For API-level security testing and validation<\/p>\n\n\n\n Nmap:<\/strong> To perform network scanning<\/p>\n\n\n\n Nikto<\/strong>: For scanning web servers to identify known vulnerabilities<\/p>\n\n\n\n Metasploit:<\/strong> To simulate real-world penetration attacks<\/p>\n\n\n\n JIRA:<\/strong> For logging, tracking, and managing discovered vulnerabilities<\/p>\n\n\n\n We faced a range of challenges that could act as a security threat to user data and transactions.<\/p>\n\n\n\n Ensuring Log-in Security Without Any Hassle >> A simple OTP-based login was missing Preventing Malicious Input from Damaging Database Integrity<\/strong><\/p>\n\n\n\n >> Input fields were vulnerable to attacks such as SQL injection Blocking Malicious Scripts from Running in the User\u2019s Browser<\/strong><\/p>\n\n\n\n >> Fields lacked proper encoding and allowed the execution of unsafe scripts Protecting Admin Features from Unauthorized Users<\/strong><\/p>\n\n\n\n >> Access control for admin features was weak. URL manipulation and poor session handling opened pathways for non-admin users to reach restricted sections.<\/em><\/p>\n\n\n\n Ensuring Safe and Uncorrupted Financial Transactions<\/strong><\/p>\n\n\n\n >> Payment processes allowed duplication and unauthorized modifications of transactions Preventing Vulnerability of Sensitive Data Through Open Endpoints<\/strong><\/p>\n\n\n\n >> Several API endpoints were accessible without proper authentication Coordinating Across QA, Dev, and DevOps Teams Efficiently<\/strong><\/p>\n\n\n\n >> Security tasks weren\u2019t always integrated into the release pipeline Login Felt Secure but Frustrating for Users<\/strong><\/p>\n\n\n\n Although the login process was secure, users found it confusing, and session cookies and tokens weren’t fully secured, risking user data.<\/em><\/p>\n\n\n\n Users Were Exposed to Unsafe Content<\/strong><\/p>\n\n\n\n Some input fields allowed harmful scripts, and missing security headers increased the risk of user-targeted attacks<\/em><\/p>\n\n\n\n Didn\u2019t Handle Harmful Input From Breaking the System<\/strong><\/p>\n\n\n\n SQL injection vulnerabilities were present, and OTP fields were susceptible to brute-force attacks.<\/em><\/p>\n\n\n\n Regular Users Could Access Admin Features<\/strong><\/p>\n\n\n\n Non-admin users could modify URLs to access restricted admin pages, and weak session handling made unauthorized access easier.<\/em><\/p>\n\n\n\n Financial Transactions Were Not Fully Protected<\/strong><\/p>\n\n\n\n Duplicate or fake transactions were possible during testing, and some payment details could be tampered with.<\/em><\/p>\n\n\n\n APIs and Personal Data Were at Risk<\/strong><\/p>\n\n\n\n Certain APIs lacked proper login requirements, and scoreboard data could be manipulated by users.<\/em><\/p>\n\n\n\n Security wasn\u2019t Aligned With the Release Workflow<\/strong><\/p>\n\n\n\n Security vulnerabilities were sometimes overlooked before release, and testing was occasionally skipped in automation.<\/em><\/p>\n\n\n\n Riseup Labs has taken proactive steps to enhance the security posture of Jeeto.Online by implementing the following solutions:<\/p>\n\n\n\n >> Enforced strong password policies, added session timeouts, secured cookies, improved OTP flow, and limited OTP attempts<\/em><\/p>\n\n\n\n >> Applied strict input validation\/filtering, output encoding, and tested for injection vulnerabilities and edge-case inputs<\/em><\/p>\n\n\n\n >> Used parameterized queries, input sanitization, and implemented server-side role validation and proper access restrictions<\/em><\/p>\n\n\n\n >> Tested for duplicate transactions, validated payment data, encrypted sensitive information, and logged all payment activities in the Admin Panel<\/em><\/p>\n\n\n\n >> Explored API endpoints, tested for unauthorized data access like score manipulation, and suggested encryption and rate limits<\/em><\/p>\n\n\n\n >> Added timestamp checks, signature validation, and tested for token theft and session hijacking<\/em><\/p>\n\n\n\n >> Pushed for CI\/CD pipeline security checks and helped establish security-focused collaboration between QA, Dev, and DevOps teams<\/em><\/p>\n\n\n\n >> Used JIRA with severity tags, detailed replication steps, and video proofs for clear communication and faster issue resolution<\/em><\/p>\n\n\n\n After implementing the enhanced security integrations, Riseuplabs has successfully handled the security and penetration risks of Jeeto.Online. Here\u2019s an at-a-glance view of the outcomes of the security and penetration testing of Jeeto.Online conducted by Riseuplabs.<\/p>\n\n\n\n >> Reduced overall vulnerability score by 85% through<\/em> structured remediation<\/em><\/p>\n\n\n\n >> Login tokens and sessions are now securely managed, reducing the risk of session hijacking<\/p>\n\n\n\n >> All input fields are now properly sanitized, blocking SQL injection and other harmful inputs<\/em><\/p>\n\n\n\n >> All user inputs and outputs are encoded, preventing script injection<\/em><\/p>\n\n\n\n >> Unauthorized users can no longer access admin features, even by manipulating URLs or sessions<\/em><\/p>\n\n\n\n >> Transactions are now encrypted, logged, and tamper-proof<\/em><\/p>\n\n\n\n >> Score submissions and leaderboard APIs are protected from tampering or abuse<\/em><\/p>\n\n\n\n >> App now handles crashes or network failures without losing data or breaking functionality<\/em><\/p>\n\n\n\n >> Score and transaction consistency are maintained even during interruptions<\/em><\/p>\n\n\n\n >> Ensured GDPR compliance and safeguarded user trust before going live<\/em><\/p>\n","protected":false},"author":65,"featured_media":52906,"parent":0,"template":"","insight_category":[217],"class_list":["post-52861","insights","type-insights","status-publish","has-post-thumbnail","hentry","insight_category-case-study"],"_links":{"self":[{"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/insights\/52861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/insights"}],"about":[{"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/types\/insights"}],"author":[{"embeddable":true,"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/users\/65"}],"version-history":[{"count":9,"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/insights\/52861\/revisions"}],"predecessor-version":[{"id":57836,"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/insights\/52861\/revisions\/57836"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/media\/52906"}],"wp:attachment":[{"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/media?parent=52861"}],"wp:term":[{"taxonomy":"insight_category","embeddable":true,"href":"https:\/\/riseuplabs.com\/wp-json\/wp\/v2\/insight_category?post=52861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Ensure secure authentication and authorization
Identify and mitigate potential vulnerabilities<\/em><\/p>\n\n\n\nScope of Testing<\/h2>\n\n\n\n
Testing Tools Used<\/h2>\n\n\n\n
Challenges We Faced During Testing<\/h2>\n\n\n\n
<\/strong>Implementing strong authentication without compromising user experience seemed challenging.<\/p>\n\n\n\n
>> Managing session cookies and tokens posed a risk without proper configuration<\/em><\/p>\n\n\n\n
>> Special characters and unusually long inputs exposed weak handling in the backend
>> OTP verification steps were prone to brute-force attempts<\/em><\/p>\n\n\n\n
>> Missing security headers made the browser environment susceptible to Cross-Site Scripting (XSS) attacks<\/em><\/p>\n\n\n\n
>> Sensitive financial data lacked sufficient protection mechanisms<\/em><\/p>\n\n\n\n
>> Score and leaderboard data could be tampered with
>> Real-time updates posed a risk of exposing sensitive information<\/em><\/p>\n\n\n\n
>> Vulnerabilities were sometimes left unresolved before deployment due to fragmented communication across teams<\/em><\/p>\n\n\n\nProblems Identified During Testing<\/h2>\n\n\n\n
Solutions We Have Suggested \/ Implemented<\/h2>\n\n\n\n
Outcomes of this Testing<\/h2>\n\n\n\n