Penetration test commentary 2025

This page documents the findings from the latest penetration (pen) test conducted by Cyberis:

1. Introduction

2. Moderate risks identified – application and API (web application)

3. Moderate risks identified – Insight and Sense API

4. Moderate risks identified – external pen test

5. Moderate risks identified – AWS cloud configuration

6. List of Low or Negligible risk findings

Introduction

Cyberis assessed Matrix Booking Limited's externally-facing "Matrix Booking" web application, supporting API, Insight application, and Sense product between the 20 and 24 October 2025. Testing took place from both an unauthenticated and authenticated perspective to establish potential attack vectors available from each scenario.

Additionally, an AWS cloud review including Kubernetes (EKS) configuration audit were performed to establish security configurations in relation to industry standard best practices. All test activities, targets and tooling conformed to the scope and methodology authorised by Matrix Booking Limited. The testing took place across both the Production and Integration platforms within Matrix Booking, with the aim to target both upcoming and currently released software.

It is noted that, there were no Critical vulnerabilities found during the testing. A single high vulnerability was discovered within the beta version, which was addressed during the test period, and re-checked. Cyberis confirmed the remediation as successful, and as such, the finding was marked as resolved within the report, and not included here.

Moderate risks identified – application and API (web application)

1. Organisational enumeration at login – Moderate
   
   The server initiates a lookup based on the domain portion of the user email address when a user is logging into the portal. Excessive information is returned providing different responses to requests with valid or invalid usernames at login. This discrepancy in responses allows an attacker to enumerate valid usernames in an automated manner. Having enumerated valid usernames, an attacker would be able to automate a brute-force login attack against the enumerated accounts.
   
   Status: RISK ACCEPTED – We have reduced the amount of data returned to a level required of the system for normal operation.
   

2. Predictable ID – Moderate
   
   The use of easily guessable or predictable IDs could allow an attacker to extract multiple IDs and then use them to launch further attacks against the application and its users, such as automated scripts to bulk download files, or to attempt to access functionality the user should not have access to.
   
   Status: RISK ACCEPTED – Matrix Booking accept the risk as sequential IDs are across all database tables using IDs and not limited to a particular client. Knowledge of an ID does not present an identified risk and additional security features limit access and require a valid login.

Moderate risks identified – Insight and Sense API

1. Lack of Anti-Automation – Moderate
   
   There was no anti-automation in the MobiusFlow API endpoints. While APIs are frequently designed to be consumed by legitimate automated tools and processes, APIs can also be targeted by malicious automated tools with the intention of performing Denial of Service (DoS) against the service or brute-force attacks against the API endpoints.
   
   Status: RISK ACCEPTED – Inclusion of rate limiting will be introduced with the future update to the external API. However, at the moment this risk is accepted as separation exists between applications and the load-balancing architecture. We will raise this with the third-party provider (MobiusFlow).
   

2. User enumeration at login – Moderate
   
   The MobiusFlow server provides different responses to requests with valid or invalid usernames at login. API endpoints responsible for authentication can sometimes provide different error messages depending on the validity of usernames, which can aim to provide useful information to users who are attempting to authenticate.
   
   Status: RISK ACCEPTED – To be raised with the third-party provider.

Moderate risks identified – external pen test

1. TLS Protocol Version Weaknesses – Moderate
   
   TLS protocol versions 1.0 and 1.1 were enabled on one of the servers. SSL and TLS are protocols to negotiate secure, encrypted connections to a server. Older versions of the protocols have been deprecated and are no longer recommended for use.
   
   Status: UNDER REVIEW – This will be resolved with the retirement of the Sense V1 platform this year. Vulnerability is not present in the Sense 2 architecture.

Moderate risks identified – AWS cloud configuration

1. Kubernetes cluster configuration weaknesses – Moderate
   
   The Kubernetes cluster within the Matrix Booking production environment is not securely configured in several key areas, resulting in reduced visibility, weakened access controls, and inadequate network isolation within the environment
   
   Status: UNDER REVIEW – Investigating an approach to resolve.

2. Managed policy configuration weaknesses – Moderate
   
   Several AWS managed IAM policies within the Matrix Booking Production environment were configured with overly broad permissions, allowing access to sensitive identity and access management actions, such as iam:PassRole, sts:AssumeRole, or wildcard permissions across all actions and resources.
   
   Status: UNDER REVIEW – Investigating an approach to resolve.

List of Low or Negligible risk findings