18 Sep, 2023

Pentest Case: Project Safety Assessment

In a cybersecurity world where new threats and vulnerabilities emerge every day, penetration testing plays an important role in securing organisations. This process of simulating attacks helps identify weaknesses in systems and applications before they are discovered by attackers.

But what lessons can we learn from the cybersecurity experience? To answer that question, let’s look inside the world of Pentest and examine a fascinating case study that demonstrates what threats may be lurking in networks and applications.

Customer Request

We would like to ask you to perform penetration testing of our information infrastructure in order to improve the security of our information systems. We have full confidence in your cyber security expertise and are confident that you will be able to perform this task to the highest standard.

Testing Requirements

Scope of Testing 

Testing should cover our web applications, internal networks, and mobile applications.

Vulnerability Discovery

Authentication and authorisation vulnerabilities

This includes weak passwords, insufficient authentication and access control issues.

Web server and application vulnerabilities

This can include vulnerabilities in the web server itself (e.g., misconfigurations) and vulnerabilities in application code.

Data leakage and data storage vulnerabilities

Data breaches, including improper storage, transmission, or processing of sensitive data.

Operating system and network infrastructure vulnerabilities

Problems related to the operating system, network settings, firewall configuration malfunctions, and other network aspects.

Vulnerabilities in third-party libraries and components

Many applications use third-party libraries and components that may also contain vulnerabilities.

Vulnerabilities in administrative interfaces

Vulnerabilities related to the administrative interfaces of applications or systems.

Physical Vulnerabilities

Related to the physical security of servers and infrastructure.

Penetration Testing 

We are interested not only in vulnerability identification but also in determining how far attackers could potentially advance if they attempted an attack.

Documentation

Please provide a comprehensive report, including descriptions of identified vulnerabilities, their risks, potential consequences, and recommendations for remediation.

Risk Assessment

Conduct a risk assessment to help us prioritize the mitigation of vulnerabilities effectively.

Key Criteria

Timelines

Specify the expected timeframe for conducting the penetration testing and the deadline for report submission.

Attack Authorization

We grant permission to employ any methods and tools for attacks but request avoiding actions that could disrupt system functionality.

The pentesting process

SQL Injection: Identifying Weak Points

As we delved into the analysis of project, we uncovered vulnerability related to SQL Injection. In application, we found that a particular search form allowed users to input arbitrary data for database queries. However, improper handling of input data made it susceptible to SQL Injection attacks. We conducted the following query:

				
					' OR (SELECT COUNT(*) FROM information_schema.tables) > 0--

				
			


This payload successfully determined the existence of one table in the database using the system table information_schema.tables. The result of this condition was “true” (true), which allowed the query to be considered successful. This fact could be used for further attacks in real scenarios.

XSS: Cross-site scripting attack

A critical cross-site scripting (XSS) vulnerability has been discovered. The vulnerability points were located in form input fields, where attackers could inject malicious scripts running in the user’s browser. We demonstrated how XSS attacks can leak sensitive data and manipulate user sessions using a specially designed payload.

				
					<img decoding="async" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-src="x" onerror='alert("This website is vulnerable to XSS")'><noscript><img class="lazyload" src='x' onerror='alert("This website is vulnerable to XSS")'></noscript>
				
			

 

An XSS vulnerability allows an attacker to inject malicious JavaScript code into a web page that is executed in the browser of other users who open the page. This can lead to a variety of attacks such as session stealing, malicious script injection, redirection to fraudulent sites, and more.

To address this critical vulnerability, we proposed the following security measures: carefully filtering data input, using Content Security Policy (CSP) and ensuring secure data encoding.

CSRF: Protection against Cross-Site Request Forgery

During our security analysis, we also identified a critical vulnerability related to cross-site request forgery (CSRF). Some designs did not adequately protect against cross-site request forgery attacks, which could allow attackers to initiate unwanted actions on behalf of authorised users.

We have conducted critical CSRF attacks and demonstrated how attackers can manipulate user actions. To combat this threat, we have recommended CSRF defence measures, such as the use of request tokens to protect user sessions.

Example CSRF Attack: For clarity, let us provide an example of a CSRF attack that we used:

				
					<form action="https://example.com/change-password" method="POST">
  <input type="hidden" name="new-password" value="malicious-password">
  <input type="submit" value="Change Password">
</form>

				
			

 

In this case, an attacker can create a false form that automatically submits a request to change a user’s password if that user is an authorised user on the site. If the victim opens this page for any reason, their password will be changed without their consent.

Clickjacking: The Covert Threat

In our quest to discover security weaknesses, we turned our attention to Clickjacking. While investigating a web application, we noticed that attackers could exploit vulnerabilities by manipulating the visibility of web page elements. They can create deceptive buttons and elements that overlap with real ones, causing users to involuntarily perform actions they didn’t intend.

To confirm the risk of Clickjacking, we conducted tests by placing transparent layers on top of the page. To protect against Clickjacking, we recommended adding an X-Frame-Options HTTP header and using JavaScript frameworks to protect the interface from malicious manipulation.

Missing Required Headers: Strengthening Communications Security

We also identified that the project suffers from the lack of required headers in HTTP requests and responses. This leaves the system vulnerable to various types of attacks related to data manipulation in traffic. The CQR team recommended that appropriate headers be implemented to strengthen communication security.

Detection of Outdated Server Versions: Maintaining Relevance

Lastly, we turned our attention to outdated server component versions. Our analysis revealed several servers operating on obsolete versions, making them susceptible to known attacks.

To address this issue, we recommended upgrading the server components and running a regular monitoring process to ensure their continued security.

Insufficient network segmentation

Insufficient network segmentation is a serious information security vulnerability. This vulnerability means that an organisation’s network is not segmented with appropriate access rules, allowing potential attackers to spread across the network with minimal disruption.

Pentesters found that the organisation’s network was not sufficiently segmented. This meant that the organisation’s internal network was represented by a single large segment without proper access restrictions.

Exploring the network: Our initial entry point into the network began with the installation of a specialized software agent on a particular computer. This access was established by exploiting a vulnerability in the network defense system, which was uncovered during our research efforts. This vulnerability granted us remote code execution capabilities, providing control over the targeted device for the purposes of conducting a penetration test.

Propagation within the network: With access to this computer secured, our team commenced their search for other devices within the network. Leveraging the credentials discovered on the compromised computer, we effortlessly gained entry into additional computers and servers on the network without encountering any obstacles. This seamless movement within the network allowed us to navigate freely, mapping its structure and identifying potential vulnerabilities.

Access to sensitive data: As our exploration continued, we achieved a significant milestone by gaining access to a server housing highly sensitive customer data. The absence of effective network segmentation meant that, once a single device had been compromised, we could pivot to this server with ease. This lack of isolation posed a critical risk to data security, highlighting the urgent need for enhanced network protection measures.

Our comprehensive penetration testing identified critical vulnerabilities related to inadequate network segmentation that allow unauthorised access and lateral movement within the network. We recommended that the customer implement proper network segmentation, remediate the identified vulnerabilities, and ensure robust credential management, continuous monitoring, data encryption, and strict access control policies.

Insecure APIs

Vulnerabilities associated with insecure APIs can pose a serious threat to the security of mobile applications and user data. If a mobile application communicates with external servers via insecure APIs, it can enable attackers to perform malicious activity such as password brute force or data manipulation via insecure APIs.

Analysing API requests
We started by analysing the API requests sent by the mobile app to the server. They found that some API methods did not require authentication and data was being sent without sufficient validation.

Uncontrolled access to data
Using untrusted APIs, we were able to send fake requests, modify user data, and access other people’s data without the necessary authorisation. This posed a serious threat to data privacy.

Data modification via APIs
Our team also demonstrated how an attacker could alter user data via an untrusted API, for example by changing shipping address or financial details.

The CQR team recommended implementing authentication and authorisation for all API requests to restrict data access to authorised users and applications only. It is also important to implement data integrity checking mechanisms to prevent data modification via untrusted APIs, and to monitor and log API activity to detect anomalous requests and attacks. Also, encrypt all data transmitted through APIs to prevent malicious users from intercepting and reading the data.

Conclusion

Conducting penetration testing in the world of cybersecurity is a challenging but important practice. It is clear from our case studies that securing an organisation requires constant updating and adaptation. We see how internal and external threats can be major challenges and therefore attention must be paid to defending against both sides.

Educating employees about cybersecurity, having an incident response plan in place, and working with the global cybersecurity community are also important lessons. We hope our experiences and case studies will help you strengthen your organisation’s security and better understand the complexity and importance of the cybersecurity field.

Remember, cybersecurity is an ongoing process, and only constant vigilance and training will help you protect your data and systems from ever-changing cyber threats.

Other Services

Ready to secure?

Let's get in touch