CyberLabs #3 – Penetration Testing – Identify flaws before a cybercriminal does

Almost every company has a web application that can be accessed from the Internet. It’s not uncommon for customers to log into their accounts through the same application to make purchases or perform certain actions. So it’s safe to say that these apps are a “collection” of lots of data and cybercriminals will sooner or later try to get to this information. That’s why it’s so important to make sure that our apps are prepared for various types of attempted attacks.

CyberLabs #2 – Password security, the reason why you should create strong passwords

What are pentests?

Penetration testing (or pentests in short) is an activity by which the largest possible number of flaws are found in e.g. web and mobile applications, etc., which can negatively affect the confidentiality, integrity and availability of processed data. To put it simply, these tests involve finding as many errors as possible that a cybercriminal could use to, e.g., take over user accounts, extract information from the database or even take over the server on which the application runs. These tests, therefore, represent a very important point for any company that cares about cyber security.

However, pentests themselves, unlike attacks by cybercriminals, are performed for a specific period of time for a specific range of applications. What is also worth being aware of is that pentest won’t detect all vulnerabilities. One reason for this is the limited time for such tests. Another could be the incomplete range of tests or the emergence of new vulnerabilities previously unknown (e.g. a weaknesses in a particular version of software that our application uses).

Vulnerability classification

It has become assumed that flaws found are classified on a five-point scale. This scale defines the level of threat and the consequences of its use, and the time in which the errors should be fixed.

CRITICAL

A critical vulnerability, the exploitation of a vulnerability classified as critical makes it possible to take full control of a server or a network device. Vulnerabilities that have been marked as critical should be fixed immediately.

HIGH

A vulnerability with a high level of significance, the exploitation of this vulnerability allows access to sensitive information, but beforehand may require certain conditions to be met for practical use. Vulnerabilities classified as “high” should be fixed within a very short time after they are reported.

MEDIUM

A vulnerability with a medium level of significance, the exploitation of this vulnerability may depend on various factors. This vulnerability usually allows access to a limited amount of data or to data of lesser relevance. The fix for this vulnerability does not have to be implemented immediately, but it shouldn’t be postponed either.

LOW

A vulnerability with a low level of significance, the exploitation of this vulnerability has little impact on security or requires very difficult conditions to meet. Fixing this vulnerability can be done when app is updated with, for example, new functionality.

INFO

General recommendations or information, points marked with info level are not security vulnerabilities. They do, however, indicate good practices that, if applied, can increase the overall security level of an application.

Classification of vulnerabilities

However, finding vulnerabilities is a major part of the pentester’s job, but that’s not the only thing the pentester does. After testing, it creates a report in which we can learn what vulnerabilities were found in our applications. Plus, by the end of the description of each vulnerability found, we’ll be able to read recommendations to which, if we follow them, will allow us to eliminate the vulnerability found.

Testing phases

The ways to test an application can vary depending on the methodologies used. Holding to the following phases during testing will help us perform tests more efficiently. Looking at different methodologies, there are several main phases of testing, these include:

• • Defining the scope of testing – a defined scope is a boundary for any ethical tester that cannot be crossed. It’ s during this phase it’s determined what will be tested and how. Choosing the right scope is important for both sides as testing too narrowly may result in critical vulnerabilities not being detected, while testing too widely may result in lack of time to test every place for flaws. If you have a large scope to test, it’s worth considering conducting, for example, two separate pentests.

• • Reconnaissance – one of the most important parts of the attack. It involves searching and gathering as much information as possible about the test scope, which may be useful in a further attack. This can include searching for logins, hidden catalogs, API endpoints, etc. In this phase, too, it is useful to look at how the application works. Also, the extent to which one adheres to this phase can result in number of vulnerabilities found later.

• • Vulnerability search –
    using the information gained in the previous phase, an already actively established range of tests is being tested. At this point, the pentester sends various payloads to the application through which it can determine whether specific vulnerabilities exist in the application.
    

• • Exploitation of vulnerabilities / privilege escalation / data exfiltration – once a vulnerability is found, e.g. SQL Injection vulnerability, the pentester may try to exploit the found vulnerability in order to gain access to the server. At this point, the tester may also try to escalate his privileges or exfiltrate specially prepared data (it’s important to determine during the phase in which we define the scope of testing whether the tester is to perform these actions).

• • Report creation – after testing is completed, each test is summarized with a specially prepared report, in which we can find the listed vulnerabilities that were found and information on how to fix them.

The above phases are only a general “inventory” of each test, and in fact each of the mentioned phases can be broken down into more specific points. Once the vulnerabilities found have been fixed, it’s worth performing a so-called Retest to verify that the vulnerabilities in question have indeed been eliminated.

Penetration testing methodologies and standards

Pentests can be performed according to their own methods, rules or principles however, there are proven methodologies and standards that are widely known among cyber security experts. Four well-known methodologies and standards are outlined below:

• • OWASP TOP 10 – one of the most well-known web application security standards. The document outlines the top 10 categories of security threats / issues related to web applications.
    
    

    OWASP Top 10 is the standard document for developer awareness and web application security

• • OWASP Application Security Verification Standard Project (OWASP ASVS) – The OWASP ASVS document outlines the requirements to which we should comply when implementing, testing or creating documentation for components in web applications. The entire document is not focused on finding vulnerabilities, but only on verifying good practices that result in safe software development.

• • Open Source Security Testing Methodology Manual (OSSTMM) – OSSTMM describes how to secure any IT system, it defines 5 channels that indicate to us the nature of the tests. These tests include physical security and human factors security, among others. In addition, it covers security of wired as well as wireless networks.
    

• • Penetration Testing Execution Standard (PTES) –  The PTES methodology can be described as a mind map for the pentester. Each element briefly describes issues from 7 main sections including: information acquisition, threat modeling, vulnerability analysis, exploitation or reporting.
    

    The goal of PTES is to provide high-quality guidance to help raise the bar for penetration testing quality.

Most common vulnerabilities

Depending on the type of system, application being tested, the types of vulnerabilities may vary. It’ s worth taking care of the application security itself from the earliest moments of software development and not only when it is ” mature “. This is because there is a chance that our software, due to vulnerabilities, won’t be able to be released to the public within the set timeframe, which may be associated with various negative consequences. However, in order to be able to properly secure our applications, we should know which vulnerabilities we have to deal with. Below are some of the most common vulnerabilities in web applications.

• • XSS (Cross-Site Scripting) – using XSS vulnerabilities, an attacker is able to embed malicious JavaScript code into a given application. Depending on the type of XSS, the attacker is able to, for example, modify the appearance of a page, run malware, steal session cookies or create new accounts with administrator privileges.

• • SQL Injection  – using SQL Injection vulnerability (depending on its location) the attacker is able to bypass login panel, extract and modify database. In critical situations, using this vulnerability he’s able to read any file from the server or take over the entire server.

• • CSTI / SSTI (Client/Server-Side Template Injection) – many of today’s applications use a template engine, but not everyone knows that by exploiting this vulnerability we can inject malicious code into the template, which will be executed either on the client or server side. Depending on where the code is executed, we can talk about XSS-like effects (the code executes on the customer’s side) or the attack can even result in a server takeover (the code executes on the server’s side).

• • OS Command Injection – if our application is vulnerable to this flaw, an attacker will be able to execute system commands on the server on which the vulnerable application is running.

• • Path Traversal – with Path Traversal vulnerability, an attacker can read any file from the server (such as configuration files). When accessing application logs, there is a possibility to execute Log Poisoning attack, in which our code is placed in the logs by means of an invalid SSH login (the code is usually placed in the username field). When this file is referenced, the code will be executed

• • Vulnerabilities related to outdated software – many other vulnerabilities can be put under this point, because it really all depends on the vulnerabilities found in the software used. A very important element of a secure system is upgrading the software that our system uses. If for some reason we can’t perform the update, it’s worth considering mitigating vulnerabilities to limit the attack field.
    

• • Vulnerabilities related to improper access control – it’ one of those vulnerabilities where the attacker doesn’t need to know much about hacking. A vulnerability of this type can, for example, occur where we go to our account settings, and in the URL we see an ID for our account. If the application is prone to this vulnerability after changing the ID we will see, e.g., details of another account.

The vulnerabilities above are, of course, only a part of what developers have to deal with because the list of weaknesses is much, much longer….

Penetration testing vs Red Team testing

Penetration tests are focused on finding as many vulnerabilities as possible in the indicated, e.g. web applications. Pentester during such tests sticks “rigidly” to its scope, i.e. to a specific app, and doesn’t link the found vulnerabilities into so-called cyber kill-chains, by means of which sensitive data could be intercepted. Thus, these tests allow to check whether a particular web application is secure, but they do not allow to determine whether an organization is prepared for real cyber threats from hackers. The solution to this problem is Red Team testing.

Red Team tests differ from penetration tests in many ways, the most important differences are:

• • They are not limited to the technology used. Testing is also about the human factor or physical security.

• • They are not about finding as many vulnerabilities as possible just finding the most effective method to break an organization’s security.

• • They are not limited to the indicated web application.

So you can sum up the differences between the tests as follows: penetration testing is a good solution when it comes to finding as many weaknesses as possible in a given system that need to be fixed, while red team testing provides an ideal solution when it comes to a company’s readiness for hacking attacks.

Benefits of Red Team testing:

• • They are the most advanced security tests.

• • Tests are a realistic simulation of cyber threats.

• • They verify the organization’s security features and assess the ability to detect, respond to various incidents.

Pentesting: A Handful of Good Advice

As in previous CyberLabs – all you need to know about cybersecurity series articles, below you’ll find some good tips to increase the level of cyber security in your organization:

• • Remember to conduct regular penetration tests of your applications and infrastructure. Don’t let the tests go if previous tests haven’t found any vulnerabilities. This doesn’t mean that in the meantime, e.g., vulnerabilities haven’t been found in the software you use.

• • Be sure to update the software you use in your application. Often, serious security bugs are created in your application due to the lack of these updates

• • Try not to narrow the scope of the test to a minimum. Using this approach, you may find that a system which is too critical for testing has many serious vulnerabilities. If you can’t test a particular system perhaps you can secure it in other ways. Remember that a cybercriminal will take every opportunity to achieve his goal.

• • During real attacks, human error is often exploited. That’s why phishing is often used in the first phases of an attack. So it’ s worth testing this ” system ” element as well, through, for example, controlled social engineering tests.

Stay secure! 👾

Michał Błaszczak

Pentester

He was supposed to be an architect in the past, but life has made him an ethical hacker. He likes to know how something is built so that it is easier for him to break it later. Daily, he performs penetration testing at Vercom so that all applications are secure and users don't have to worry about their data security. After work, he spends most of his free time developing and acquiring new skills to find vulnerabilities even more efficiently.

See more articles