Application Penetration Testing
Expansion of Webapps, Mobile Apps, and APIs
Applications and the way we interact with them have developed over the years, they are no longer just static brochures being hosted online. Applications are more complex due to their reliance on user input, third-party libraries, APIs, containers, and more.
Applications have shifted both the business and consumer landscape. Entire corporations are built selling complex applications that solve common business challenges while your every-day-Joe trusts applications with some of their most sensitive information: Photo IDs, credit card numbers, and social security numbers.
We’ll only see applications become more relevant as time goes on – and with this – the attention they receive from cyber criminals will only increase.
X Security Application Pentests - OWASP Top 10
Our application assessment team consists of members who have a deep understanding of applications as well as the tactics, techniques, and processes commonly utilized by today’s cyber criminals. Knowledgeable software developers have adopted what is commonly referred to as the OWASP Top 10 which serves as guidance for identifying the most common application security vulnerabilities. While the OWASP Top 10 provides a good starting point, it doesn’t include more advanced vulnerabilities and business logic flaws. Vulnerability scanners and less knowledgeable pentesters that solely rely on the OWASP Top 10 may miss more subtle and severe findings that can be exploited. That said, software developers who build in checks for the OWASP Top 10 are a step ahead of those who don’t. Below is an overview of the 2021 OWASP Top 10.
When access controls are correctly configured, an application enforces policies to ensure that users are unable to act outside of their intended permissions. In other words, the application will correctly allow some users to access certain content & functionality while denying that access to others. Broken access controls can lead to unintended information disclosure, the destruction or modification of data, and unintended functionality that may be abused by a user.
Cryptographic failures occur when sensitive data isn’t securely stored. This has to do with ensuring that your most important data is encrypted when it needs to be and that keys are properly managed.
Previously holding the #1 spot from 2010 – 2020, different forms of injection occur when an attacker tries to input malicious code into an application that is then interpreted or executed by the application. This can allow attackers to do what they want with the contents of your database, compromise back-end systems, or maliciously attack other users.
A new category added in 2021, insecure design is rather vague but shifts the focus to design and architectural flaws that should be identified earlier in the development process. OWASP is adopting the “shift-left” mentality to request more threat modeling, secure design patterns, and reference architectures.
Security misconfigurations refer to improper server or application configurations that lead to a number of flaws. This can include incorrect permissions on exposed directories or admin consoles, default credentials being used, or misconfigured cloud environments.
Vulnerable and outdated components can be utilized when building an application. Examples could be using unpatched servers or vulnerable 3rd party libraries.
When a users identity, authentication, and session details aren’t properly handled then there might be certain security risks that could be exploited. Authentication & identification means that you are who you say you are – so attacks that target passwords, keys, or session tokens that allow an attacker to assume a users’ identity fall under this category.
New in 2021, this category is related to code and infrastructure that doesn’t protect against integrity violations. An example of this would be an automatic software update that is deployed without verifying the security of the new code.
This category covers problems related to detecting, escalating, and responding to active incidents. Insufficient logging, detection, and monitoring can prevent security incidents from being detected and mitigated.
SSRF attacks happen when a nefarious actor abuses functionality on the server to read or update internal resources. These attacks may allow access to servers that shouldn’t be accessible from the internet.
Web Application Pentest Methodology
The importance of a structured and consistent methodology in web application penetration testing cannot be understated. While every project differs in scope, goals, and the tools required – a consistent methodology ensures the thorough coverage of any attack surface. Our team utilizes a structured process that ensures quality work is performed for every assessment.
Step 1: Information Gathering and Enumeration
The first step that X Security takes when pentesting web applications is to gather and enumerate information about the target; this is also commonly referred to as the reconnaissance phase. This step is critical as it creates a strong foundation of info that can later be used to identify vulnerabilities and attack paths. There are 2 different forms of reconnaissance in penetration testing:
- Passive Reconnaissance is the process of identifying information without ever directly interacting with the target application. Good examples of passive recon include the use of Google-Fu to enumerate interesting subdomains or reviewing Github repos for
- Active Reconnaissance is the process of performing recon that directly pokes & prods the target application. Examples of active recon include fingerprinting the application, generating & analyzing error codes, and scanning for open ports.
Step 2: Threat Modeling
Threat modeling is an essential, yet often overlooked, step to a quality pentest. In this phase assessors will use the information they previously learned to map out sensitive data, areas of interest, and business logic that they want to further explore. Another critical part of threat modeling is categorizing different types of data that may be obtained during a pentest in a manner that will indicate the severity of different findings. Threat modeling helps pentesters understand more than just the technical aspects of findings and allows them to articulate their findings in a way that aligns with the business.
Step 3: Vulnerability Analysis
Once assessors move into the vulnerability analysis stage, they begin to utilize tools to carefully identify vulnerabilities in the application. Automated tools will help identify low hanging fruit vulnerabilities prior to our team shifting to where we spend most of our time: manual analysis & exploitation. We’re often asked what kind of automated tools we utilize for scanning & while the answer varies depending on the scope, we do regularly rely on some commercial tools that have our own custom built integrations such as Burpsuite Pro, Metasploit, and Nessus.
Step 4: Exploitation
In this stage of the penetration test, we begin to safely exploit identified vulnerabilities and misconfigurations to determine what the impact of different findings would be to the business. The exploitation stage allows assessors to better understand how different vulnerabilities would effect the business & ultimately help the customer prioritize their remediation efforts This plays a significant role in delivering a quality report that provides actionable next steps to customers. Among other things, below are a few issues that X Security attempts to exploit in a web application pentest.
- Cross-Site Scripting (XSS): A nefarious actor can inject malicious code that is executed on an unsuspecting user. This may allow the attacker to impersonate the victim, capture their credentials, or even redirect them from the legitimate site to a malicious site.
- SQL Injection: Attackers can interfere with queries made from the application to its database. This may allow someone to view sensitive data from the database, make modifications to the database, or even delete the database.
- Business Logic Flaws: When design/development teams make incorrect assumptions about how users may interact with the application, this opens up opportunities that may be abused by an attacker. A common example is a ‘business flow bypass’ where an assumption is made that all users will be put through a specific process. (e.g a product customization process when making a purchase) A nefarious actor might be able to skip that process, which could generate errors revealing sensitive information.
Step 5: Documentation & Reporting
At the end of every penetration test, clients receive a report documenting the results and providing actionable steps to improve the security of their web application. During this stage X Security compiles everything from the pentest and puts it into a white labeled report for our MSP partners so that they receive a report ready for immediate delivery. What you’ll receive with the report is outlined below:
- Executive Summary & Strategic Recommendations
- Strengths & Weaknesses
- Technical Documentation: Testing Process & Screenshots
- Actionable Remediation Steps
- Summary Document (Provide to 3rd parties without exposing highly sensitive information)
It’s important to highlight the value of a good pentest report – they help guide strategic decisions and budgets, they’re provided to auditors for compliance & regulation needs, and they’re provided to enterprise customers who require their 3rd party vendors to perform annual pentests. For the channel community, a quality pentest report that not only looks good but provides actionable steps for both leadership & technical folks is a massive sales/marketing tool.
Step 6: Remediation Testing & Report Updates
Clients ultimately want a clean(er) bill of health. After a client follows the remediation steps outlined in the report, X Security will perform a remediation test to ensure that not only have all of the previously identified vulnerabilities been removed – but also checking to ensure no new vulnerabilities have been introduced during the remediation process. X Security will also reissue an updated report & summary document reflecting the remediated state.
*Remediation testing may have an extra cost. This is determined on a case-by-case basis at the end of the test and depends on the quantity of findings.