What Penetration Tests Reveal: The Top 3 Findings
The hacking industry was alive and well in 2015, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in 2015 as well as insight into prevention.
The winner… drum roll please… for the most commonly exploitable vulnerability in 2015 penetration tests:
- SQL Injection
- Cross-site Scripting (XSS)
- Misconfigured Server Settings
No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. I’ve categorized prevention and insight into these vulnerabilities as follows:
SQL Injection (SQLi)
If in 20 penetration tests, you are able to successfully exploit an SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. No wonder it still ranks as #1 on the Open Web Application Security Project (OWASP) top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploitation.
SQLi is easy to fix too. The best way to do this is to use a safe API that provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn’t available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.
Cross-site Scripting (XSS)
19 of the 20 penetration performed had one (or many) XSS vulnerabilities – either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well-crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.
Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.
The escaped input should also be paired with another whitelist of acceptable input.
Misconfigured Server Settings
This one is so easy to prevent and yet can cause a lot of damage if in place. Many of the websites I looked at allowed me to “retrieve” sensitive information through custom-crafted URL queries. I had one site that allowed me to browse protected web content just by inputting some special characters after the URL. Another site allowed me to see who was logged into the server at the time.
Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The OWASP has some great guides to configuring a server correctly here.
Final Recommendations
These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying with PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities.
An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.