Penetration Testing

Browser-based applications are the major software platform nowadays and although that simplifies many stages of their development and more importantly delivering them to the end users, it also comes with new risks given its enlarged attack surface. Thorough and regular penetration testing of web applications hosted on Internet-connected infrastructure is a necessary piece in the overall puzzle of ensuring confidentiality, integrity and accessibility of information assets processed by these systems.

In addition to user-facing interfaces - the web front-end systems - there are usually many supporting web and application services which require similar attention and precautions. And even though the developers would find this list complete, there is another area which should not be overlooked and those are any systems services and the overarching network infrastructure underneath the application stack.

Our penetration testing services built on top of our multi-decade experience with systems and application security and can provide a valuable insight into possible attack vectors - including how to mitigate the risks found. We are not trying to reinvent the wheel here and therefore we are always using peer-reviewed methodologies like OWASP and OSSTMM as described below.

The mission here is to prevent any service outages and data breaches by actively defending against the bad actors.

OWASP TOP 10

The Open Worldwide Application Security Project is an industry organization which coordinates many endeavors in the field of information security for networked applications. The most famous is probably the OWASP TOP 10 list of most common vulnerabilities found in remotely-accessible systems.

The current list of such vulnerabilities is as follows:

1. Cross Site Scripting (XSS).
   A method of penetrating web pages using security flaws in associated scripts (mainly not sanitizing input fields). Using vulnerabilities of this kind the attacker can inject a custom code into the web page and can exploit this ability to either damage the page design or bar it from working at all. It is also commonly used for gaining unauthorized access to confidential information, bypassing security measures in general and for criminal activities like phishing.
2. Injection flaws.
   SQL injection is a method of attacking the database layer of the application by injecting a database language code using non-sanitized input field. This unwanted behaviour emerges on the border between application and database layer – which are usually two different running programs – and can be prevented by using proper database abstraction layer which ensures the untrusted data from input fields is properly encapsulated before sending to the database engine.
3. Malicious File Execution.
   If the attacker somehow manages to got malicious data on the application server, this vulnerability allows to execute such data opening whole range of attack vectors.
4. Insecure Direct Object Reference.
   Vulnerabilities of this class allow the attacker to gain information about distinct database objects of the target application without proper authorization. This also opens the possibility of gaining access to internal system information.
5. Cross Site Request Forgery (CSRF)
   is a method allowing the attacker to forge a web form on another web site which is then used to send unwanted request on behalf of the attack victim – a legitimate web site user. It is commonly possible to mount this attack by composing an appropriate HTTP request without actually creating any HTML form.
6. Information Leakage and Improper Error Handling.
   In case of application error a proper configuration of displaying debug information is necessary. This class of vulnerabilities allows the attacker to get certain system information after causing the application to report an error. An example of this vulnerability would be exposing the full script path by entering an invalid value into an input field.
7. Broken Authentication and Session Management.
   Login and further session management is important part of overall application security. Failure to enforce authentication or allowing attacker to steal legitimate user’s session may allow for unauthorized data access. It is important to pass login credentials securely and ensure safe storage of session identifiers.
8. Insecure Cryptographic Storage.
   A broad class of vulnerabilities allowing the attacker to compromise private key of one or both communication parties.
9. Insecure Communications.
   Giving an attacker opportunity to capture communication of other parties is a dangerous vulnerability in many applications employing no or weak encryption.
10. Failure to Restrict URL Access.
    In case the application allows for anonymous access to pages that should be available only for authenticated users there is a wide range of vulnerabilities can emerge by exposing possibly confidential data or system information.

OSSTMM

The Open Source Testing Methodology Manual as published by ISECOM forms a very good basis of any penetration testing project ranging from single-system applications to large-scale infrastructure vulnerabilities scanning and analysis.

Although this methodology is one of the more detailed being used (the standard is more than 200 pages long), it is well-suited to almost all scenarios and we are well-versed in its practical application to real-world scenarios.

Without a methodology like this, it would be virtually impossible to cover all known aspects of systems security in general which is the key as it allows us to be always a step ahead of the attackers!

Approaches to Testing

Sometimes it is useful to simulate an attacker without any inside knowledge of the system in question - a method usually called black box testing. Sometimes it is necessary - usually for operational reasons - to provide the auditors with detailed information about the system and coordinate the vulnerability scanning and assessment based on the revealed information in process known as white box testing.

And there are cases where a mixed approach with some but limited amount of internal information is available to the security auditors but the methods used typically simulate an outside attacker. Such combination is often regarded a grey box testing.

Our experience taught us that in order to provide the best results an individual choice of approach is always needed.

Deliverables

As a result of any penetration testing audit, there are always two reports delivered.

Firstly a detailed technical report describing the actual vulnerabilities found, their severity, impact and suggestions on how to mitigate them by technical counter-measures. It is always important to review all the findings as sometimes an impact of low-severity problem may be much greater due to the nature of the information assets in question and vice-versa.

Secondly a executive report for organization management is produced with the assessment of the actual impacts of all the findings. Typically the interpretation of the technical results is as important as the immediate systems' vulnerabilities found.

When it comes to acting upon the findings, we are always trying our best to explain the results both to the executive management and to the development and operations teams. There are no silly questions for us - we always answer them all!