Penetration testers: 'As regular users, we could do everything an administrator could do on the web application'
Is it possible to know that a company is secure without penetration testing? How easy is it to hack systems? Why is penetration testing necessary? Consultants Christopher Robberts and Davis Freimanis answer these questions by sharing their experiences working with penetration testing at Omegapoint.
Information security has become an increasing focus and companies are spending more time and resources on preventing data breaches. Yet it only takes a few minutes into a penetration test before vulnerabilities are found that can be a gateway for malicious actors to gain access to entire systems.
Penetration testing is used to find vulnerabilities before malicious actors manage to exploit them. Without performing technical audits of networks, systems or applications, it is difficult to assess the actual security situation of a company, as one cannot be sure that all security holes have been plugged. However, penetration testing can make the company more secure by ensuring that security holes are closed and that resources are focused on prioritising the remediation of the most critical vulnerabilities that can have the most serious consequences.
- The advantage we have as penetration testers is that we get into the mindset of malicious actors. It may be more difficult for a developer building an application to get into the same mindset. It's easy to become secretive when you're working on an application, so it's good to have new eyes looking at security specifically," says Freimanis.
What vulnerabilities are commonly found through penetration testing?
One of the most common vulnerabilities found in web applications is broken access control, which can lead to the exposure of sensitive information to an unauthorised actor. This can happen, for example, by acting as a user without being logged in or by accessing other users' accounts through their unique identifiers.
- An example of broken access control is that we accessed admin pages where we could read customer data, generate our own discount codes and even change the price of all items which meant we could shop for free. We as regular users could access interfaces that were only meant for administrators. As regular users, we could do everything an administrator could do on the customer's web service," says Christopher Robberts.
Other common vulnerabilities often found during penetration testing are the ability to perform various forms of code injection.
- We were also able to insert a keylogger into a payment system in one mission, which is very critical. Through the keylogger, we were able to send everything a user typed via their keyboard to our server. In this case, when the customer entered their card details, they were sent directly to us," says Davis Freimanis.
How does Omegapoint differ from other penetration testing companies?
What Omegapoint can add is that we work with manual testing complemented by tools where we find things that the tools do not find. We sort and interpret the results of the scanning tools which can otherwise be convoluted and difficult to interpret. We can also help the client analyse the root cause of why a particular vulnerability exists.
Another important advantage we have is that we are not just a penetration testing company or a security company, but we have a broad competence with security-oriented developers within the company that we can call on for help with assignments. We can identify gaps in our clients' development processes and help them become better developers where security is included from the ground up. The fact that we develop securely is our unique competitive advantage.
- The tools tend to suggest common vulnerabilities and exposures that can be looked at more closely, but they are less good at finding logical errors. It is also important to bear in mind that the automatic scans can often show false positives. It is therefore important to be able to manually confirm the vulnerability the scanners say they have found to ensure that it is indeed a vulnerability," explains Christopher Robberts.
What is the collaboration with the customer during a penetration test?
An initial meeting is held with the customer to review what is to be tested and the scope of the test. After the penetration test, a report is delivered to the customer with the vulnerabilities found, their possible consequences and recommendations on how to fix them. Finally, a closing meeting is held where the report and the vulnerabilities found are reviewed with the customer.
- We try to work very closely with the developers or a technical manager at the customer and keep a continuous dialogue via follow-up meetings. If we find something that we think is critical, we tell the customer immediately so that they can give an assessment immediately and start working on a solution. We try to keep in touch with the customer at all times during the test," explains Davis Freimanis.
What kind of testing do you do most at Omegapoint?
Black box
The tester does not have access to any information about the environment to be tested and does not have a user account or access to the system.
White box
The tester gets access to everything about the environment to be tested, including source code and authorized user account to the system.
Gray box
The tester receives some information about the item to be tested. A combination of white box and black box.
- Definitely whiteboxtester. We assume a scenario where if someone wants to get into a system, they will eventually succeed in doing so. We work for a very limited time, which means we don't have infinite time to get into a system from the outside," explains Christopher Robberts.
In whiteboard testing, testers are granted permissions and added to accepted traffic lists to bypass application firewalls and other security services. A malicious actor usually has unlimited time and resources and can bypass these protection mechanisms. In whiteboard testing, you want to save time and go directly into the application or system to test what is most important and secure the inside by seeing what damage can be done, what attack vectors exist and what information can be accessed while already inside the systems.
Why do security breaches occur?
There are many reasons why security breaches occur. One major reason is that security is not considered as a fundamental pillar of the development process, but only focuses on functionality. The human factor is also one of the reasons why security flaws occur, for example in the case of misconfigurations and logical errors.
- By using new frameworks, many vulnerabilities are fixed automatically, but there is a risk of accidentally configuring something wrong. The libraries used in modern development can also be vulnerable. It can be a new way in for malicious actors to scan the web for the vulnerable components and get in that way, explains Davis Freimanis.
As humans both develop and implement security measures, there will always be a risk that something will go wrong, leading to security breaches. These flaws are what malicious actors want to find and exploit. An automated tool will not be able to find the vulnerabilities that malicious actors are looking for, and this is where penetration testers are necessary. It is only by using the same mindset and methods that a malicious actor uses that it is possible to find the security holes before someone unauthorised does, thus preventing data breaches and the financial losses and brand damage that data breaches can cause.