Project Information
-
Client Name: CargoLink Logistics Pvt. Ltd.
-
Industry: Logistics & Supply Chain Management
-
Service Provided: API Security Audit + Web VAPT
-
Duration: 5 Days
Send Us mail
ZeroDay offers a range of Cybersecurity services for all firms all over the industry
API Security Testing for CargoLink Logistics Pvt. Ltd.
ZDShield began by analyzing all exposed API endpoints, including shipment tracking APIs, warehouse inventory APIs, route assignment APIs, and dashboard analytics modules. Using Burp Suite Pro, Postman collections, JWT analyzers, and custom fuzzing scripts, the team performed deep manual testing to identify flaws in authentication, authorization, rate limiting, and input validation. Parallel testing was conducted on the web portal to uncover issues in access control and session management.
ZDShield began by analyzing all exposed API endpoints, including shipment tracking APIs, warehouse inventory APIs, route assignment APIs, and dashboard analytics modules. Using Burp Suite Pro, Postman collections, JWT analyzers, and custom fuzzing scripts, the team performed deep manual testing to identify flaws in authentication, authorization, rate limiting, and input validation. Parallel testing was conducted on the web portal to uncover issues in access control and session management.
The assessment revealed ten significant vulnerabilities, three of which posed critical risk. The most serious issue involved Broken Access Control in the shipment tracking API, where attackers could modify the tracking ID parameter to retrieve shipment data belonging to other businesses. Another critical finding was a JWT token replay vulnerability, allowing previously generated tokens to remain valid even after logout. Additionally, the rate-limiting mechanism on route assignment APIs was missing, making the platform susceptible to bot-based manipulation and potential disruption of logistics planning.
At ZeroDay our culture comes to life through three core values:
If left unresolved, attackers could have viewed confidential shipment information, interfered with delivery routes, scraped inventory data, or caused delays across the logistics chain. Such incidents could have cost CargoLink significant financial losses and damaged their relationships with partner businesses.
ZDShield collaborated with the CargoLink engineering team to implement strong security measures. Strict server-side authorization checks were enforced across all tracking and inventory APIs, preventing cross-tenant access. JWT tokens were reconfigured with shorter expiration periods and invalidation on logout. Rate limiting was introduced using gateway-level throttling rules, and all sensitive API responses were sanitized to avoid data leakage. The web portal was hardened with improved session handling, updated frameworks, and security headers.
Following the remediation, ZDShield conducted a complete retest and confirmed the elimination of all critical and high-severity issues. CargoLink immediately experienced more stable API performance, reduced unauthorized traffic, and consistent tracking data across their workflows. Their leadership team appreciated the improved reliability and security of the platform and signed a quarterly API testing agreement with ZDShield to maintain ongoing protection.