If there’s one thing our broad experience has taught us, it’s this: One size does not fit all. Our dedicated industry practices are designed to get you ahead of the curve with advisors who understand the day-to-day demands, dynamics, and challenges of your business and industry — and can deliver tailored solutions that allow you to capitalize on trends and opportunities.
Web applications have replaced the use of desktop applications for many organizations. This change has allowed organizations to simplify users interactions with applications. It also reduces the efforts required by information technology teams as applications are maintained centrally and no longer distributed across workstations. Moving business processes to web applications typically consists of using commercial off-the-shelf software (COTS) or converting a desktop application into a web application.
Often an organization's web application has unique processes specific to their industry or to the organization itself. At first glance, it may not be easy to see why an application should be tested when it does not contain personally identifiable information (PII) or financial data.
Why should a company have its web application tested?
Code Changes Regularly – Developers have adopted an agile approach to code changes, and a web application's underlying code may have experienced multiple changes within the last month. Changes that only take seconds to make can have big ramifications on the security posture of a web application.
Resilience – While unauthorized access to an organization's data may not mean the loss of PII or financial theft, downtime due to incident response or a cybercriminal intentionally deleting or modifying data can still be costly.
Penetration Testers Think Differently – Penetration Testers think about how applications work differently than developers. A developer's primary goal when creating a web application is to ensure it is designed to meet the needs of users. A Penetration Tester will search for vulnerabilities built in to a web application with the goal of finding ways to disrupt or compromise the organization.
Web Application Compromise Leads to Network Compromise – Recently, the Penetration Testing team at Elliott Davis tested a web application for a client. The team identified a vulnerability in the web application to not only take over the application itself, but also gain access to the underlying operating system. This kind of exploitation in the right environment can lead to the compromise of an entire network.
We have performed numerous web application tests for organizations of various sizes, and approach testing in four phases:
Information Gathering –OpenSource Intelligence (OSINT) gathering techniques are used to gather information about the application, the web technologies that were used to create the application, as well as the hosted web server.
Manual Mapping –The Penetration Testing team tests the application in both an unauthenticated and authenticated manner. Testing in such manner allows an initial mapping of the application to be completed which is then tested with automated scanners in phase three.
Automated Scanning –Automated scanning is performed using industry-leading tools, such as Burp Suite®, to search for web application vulnerabilities as highlighted by the Open Web Application Security Project (OWASP) Top Ten. The OWASP Top Ten is a list of the most common security vulnerabilities in web applications today which are actively exploited the most by attackers and have a significant impact on targeted organizations.
Manual Review – During the final phase, additional manual testing is completed based on the vulnerability scan results, as well as additional information noted by the assessment team. During this phase, our team attempts to exploit identified vulnerabilities to assess the true risk associated with the issues.
No matter your company’s business model or size, our Penetration Testing team can help assess your risk posture and leverage industry-standard penetration techniques to assist you with securing your web application. Our goal is to help organizations identify issues and assist with remediation before cybercriminals attempt a compromise. For more information on web application penetration testing for your organization, contact a member of the Elliott Davis Penetration Testing team below.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
Understanding Automated vs. Manual Penetration Testing
During the scoping process of engagements, we often hear questions such as “what is a penetration test?” and “what does a team of penetration testers actually do?” The most straightforward answer is that we mimic what cybercriminals do to gain access to your network, except we show you what we did to break in and how to defend yourself against it. This process is important because cybercriminals can penetrate 93 percent of company networks[1]. There are two types of penetration test, automated and manual. To get a complete picture of your organization’s security posture, a combination of both testing procedures is recommended. Performing both types of tests will provide the best insights to prevent future issues.
An automated penetration test leverages tools and processes to scan systems for common vulnerabilities. However, it only provides a quick analysis of a website’s or network’s vulnerability status. A fully automated penetration test provides only limited insight into an organization’s threats. "A good penetration tester will use their instincts and, based on the results, may opt to go into testing further in an unexpected direction," said Jon Oltsik, analyst at Enterprise Strategy Group, a division of TechTarget (Pros and cons of manual vs. automated penetration testing, 2022)[2].
Comprehensive penetration tests require time. While automated tools and techniques are used during these assessments, the most impactful findings are uncovered during the manual testing of systems. In fact, automated penetration testing remains limited in function and cannot be deployed for every testing scenario[2]. Expert analysis of penetration testing reports where only computerized tools (automated penetration test) are used expose stark limitations in discovery of vulnerabilities during an assessment. Mimicking the tactics, techniques, and procedures (TTPs) used by cyber criminals is the hallmark of a high-quality, effective manual penetration test.
The Cybersecurity team at Elliott Davis utilizes the NIST 800-115 standard and the Penetration Testing Execution Standard (PTES) for scoping and executing our services for our customers. These systematic approaches provide the framework for delivering high-quality, effective penetration tests. Our team further differentiates our services with quality customer interaction throughout the engagement. We provide active communication allowing customers to engage with the penetration testers directly, and we alert customers when critical issues arise. Many team members have been security practitioners in previous roles, we know that waiting for a report is the wrong approach for this information. We understand the timeliness of critical findings for our customers, and our customers appreciate our ability to relay issues with the proper technical depth for the audience. We invite you to connect with us to learn more about the value we bring to meet your Cybersecurity needs.
We Can Help
For more information on this and other topics related to Cybersecurity, contact a member of our team below.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
Penetration testers may come across a variety of vulnerabilities that need to be addressed in order to strengthen a client’s cybersecurity posture. However, some issues are more common than others. As the Elliott Davis penetration testing team reviewed the web application penetration tests conducted in 2022, we found several common web application vulnerabilities. Our assessment findings are mapped to the Open Web Application Security Project (OWASP) Top Ten. That Top Ten was created by OWASP to highlight the most commonly exploited web application vulnerabilities.
The current list (last updated Fall 2021) is:
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery
The top three findings for web applications that Elliott Davis discovered were the following:
1. Broken Access Control
Broken Access Control can be described as a user having access to unauthorized content. Some of the most common findings related to broken access control were privilege escalation, forced browsing to unauthorized pages whether authenticated or unauthenticated (often referred to as Insecure Direct Object Reference - IDOR), and unintended user enumeration where the web application's application programming interface (API) or functionality allows the retrieval of another user's usernames or user information. The image below shows a simple example of broken access control. A user has logged in to their mortgage company's website and is being redirected to a loan account with an ID of 1000. By changing the ID to 1001, they find they can navigate to another customer's loan account.
2. Security Misconfiguration
Security Misconfigurationis the situation that arises when a security control is misconfigured and allows an attacker to bypass it or leverage it to attack the web application. This could happen through a misconfiguration of an enabled control or simply the not enabling a security control. One example is the lack of a SecureFlag on session cookies. SecureFlag can prevent their theft if an attacker finds a way to inject JavaScript into the web application itself. Below is an image of the Elliott Davis website showing a secure flag set.
Another example of a security misconfiguration is development features that are left enabled on APIs after they are deployed into production. One example is the increasingly popular API GraphQL; by default GraphQL has introspection enabled. Introspection grants unauthenticated users the ability to analyze the entire schema of a GraphQL database, which can be especially useful for an attacker who wants to discover what can be queried.
The image below shows a tester performing an introspection request with Burp Professional (a popular tool for web security testing). The server responds by providing the entire schema for the GraphQL database.
3. Insecure Design
Insecure Designis a new category that OWASP added to the Top Ten with the 2021 release. This category is intentionally broad with the goal to help the industry "shift left" and focus on preventing web applications from being easily exploited before developers even begin coding. This category of vulnerability aligns with business logic flaws. For instance, if Multi-Factor Authentication (MFA) or a web CAPTCHA can be bypassed due to how the flow of authentication works, it would be considered a business logic flaw and fall under the Insecure Design category. The open authentication authorization flow below is an example of a customer's custom implementation that could allow unintended access by not validating the data it is sending. In this authorization flow, a customer ID is looked up, and a Secure Messaging Service (SMS) sends a one-time password (OTP) code to the phone number on record. However, when the session token request is made, the server is not validating the customer ID that is being sent the response. Because of this, an attacker with access to an account can choose any other customer ID to submit with the OTP code and receive back a valid session token for that other customer account, thereby bypassing MFA.
Do I need a Web Application Penetration Test? If your organization has a web hosting site or server, including an email server, you are vulnerable to hackers. In a previous article, we discussed why web application testing should be performed regularly. Web applications are living tools that organizations use and push updates to regularly. While web applications may be secure when they are first deployed, changes over time often introduce new bugs. Incorporating manual penetration testing and threat modeling into a company's Software Development Lifecycle (SDLC) before deployment can strengthen its overall security and help avoid some of these common issues.
We can help
Contact a team member below to learn more about our penetration testing services.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.