Treffer: Improving the Cybersecurity of a Healthcare Application through Proactive Testing

Modern healthcare applications handle highly sensitive data, making security a critical concern. Ensuring the implementation of security controls is essential for patient safety and regulatory compliance. This thesis presents a security assessment of a web-based healthcare journal system. The work evaluated many application aspects, such as rolebased access control, authentication, and common web vulnerabilities such as SQL injection, CSRF, and path traversal. Using a gray-box methodology, the system was tested through a combination of manual inspection and automated tools, including Burp Suite, OWASP ZAP, Hydra, and sqlmap. The goal was to identify practical vulnerabilities that could be exploited in real-world attack scenarios. The results showed several vulnerabilities, including broken RBAC enforcement, lack of CSRF protection, and missing HTTP security headers. A custom Python script demonstrated that bruteforce login attempts were possible due to the absence of rate limiting or account lockout. No SQL injection vulnerabilities were confirmed, likely due to secure ORM practices in the Java backend. The findings highlight the need for stronger backend validation and stricter session and access management before system deployment. This study also shows the benefits of taking a proactive approach to security, testing the system while it is still in development. Furthermore, the testing also contributed to more mature discussions on secure coding and configuration, raising awareness among the team, which was made possible through the strong support of senior management.