Penetration tests have always been confused with vulnerability scans, but even penetration tests vary greatly, and it can be difficult for an organization to determine whether they’re getting a quality test. Poor penetration tests are often the result of focusing on systems and vulnerabilities instead of the target organization. “Hack Harder™: Going Beyond Highs, Mediums and Lows”
One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. “Test the Security of Your Information Systems: A Penetration Testing Case Study”
The hacking industry was alive and well in 2015, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in 2015 as well as insight into prevention.
The winner… drum roll please… for the most commonly exploitable vulnerability in 2015 penetration tests:
- SQL Injection
- Cross-site Scripting (XSS)
- Misconfigured Server Settings
No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. I’ve categorized prevention and insight into these vulnerabilities as follows:
SQL Injection (SQLi)
If in 20 penetration tests, you are able to successfully exploit a SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. No wonder it still ranks as #1 on the Open Web Application Security Project (OWASP) top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploit.
SQLi is easy to fix too. The best way to do this is to use a safe API which provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn’t available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.
Cross-site Scripting (XSS)
19 of the 20 penetration performed had one (or many) XSS vulnerabilities – either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well- crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.
Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.
The escaped input should also be paired with another whitelist of acceptable input.
Misconfigured Server Settings
This one is so easy to prevent, and yet can cause a lot of damage if in place. Many of the websites I looked at allowed for me to “retrieve” sensitive information through custom crafted URL queries. I had one site that allowed me to browse to protected web content just by inputting some special characters after the URL. Another site allowed for me to see who was logged into the server at the time.
Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The OWASP, has some great guides to configuring a server correctly here: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration.
These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying to PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities.
An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.
Have questions about Penetration Testing?
Contact our Pen Test professionals at firstname.lastname@example.org or call 888-702-5446.
By: Gene Geiger, Partner of A-LIGN Security and Compliance Services
A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each. “Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?”