This fall Cobalt launched the PtaaS Exchange, bringing local security experts together across different major cities in the US and Germany.
One agenda item that resonated with audiences in every conference location was our session “Into the Hacker’s Mind: How Attackers Look at Your Application.” Different members of the Cobalt Core — Vanessa Sauter, Derek Carlin, and Andreea Cristina Druga — shared insights on how to prepare for a pentest, what tools they use to stress test your assets, and the steps they take to check what vulnerabilities you’re susceptible to.
In this blog post, we’ll recap the highlights you might have missed.
It’s All About Preparation
A successful pentest starts with a clear brief, specific objectives, and information about your application’s functions. Many might argue they want a black-box test to simulate a real attack, but the truth is — as Vanessa Sauter pointed out in her presentation in San Francisco — attackers have no time restraints, whereas pentesters are locked in a time-bound exercise.
Black-box testing will always be part of a full pentest engagement anyway. Pentesters conduct intensive reconnaissance and will test for enumeration, authentication, and privilege escalation, despite what information is provided in the brief.
Here’s a breakdown Derek Carlin, Lead Penetration Tester in the Cobalt Core, shared in his presentation:
Andreea Cristina Druga explains the reconnaissance process like this: “We’re trying to determine the organization’s network architecture, the operating systems they are running, what applications they have. We’re trying to find more information about their users, about their employees. We also try to perform DNS and Network reconnaissance, we look at their websites, what they have published, we look at their employees’ social media, trying to find out as many details as possible. And we do email reconnaissance, where we try to gather as many emails as possible from the employees in case social engineering is in scope.”
While testers collect this information, you can accelerate their efforts around more complicated vulnerabilities — think business logic flaws, abuse of exposed credentials, and inadvertent human error — by sharing the following information under an NDA:
- Architectural diagrams;
- Tech stack information;
- Credentials that can be leveraged to attack more sensitive parts of your infrastructure;
With this, pentesters can more accurately capture risk for a wider attack surface, making your pentest that much more valuable. Read more about best practices on preparing for a pentest in Vanessa's latest white paper.
The Pentest is a Cyclical Process
In Boston and New York, Derek talked about the steps he and other Cobalt Core members take throughout the pentest process. The first key takeaway: “Penetration testing is not a linear process — it’s more cyclical.”
Here’s what he means: there will be a lot of flow mapping of the application in the enumeration and exploitation phases. He’ll look into data flow, and when clients provide diagrams in advance, he can confirm from an external perspective where he sees things are going, or rather…where they shouldn’t be.
After a first review, he’ll move to iteration #2 and repeat a lot of the process’s steps, targeting more specific items. For example, if he’s testing input injection and Cloudflare blocks him on his first try, that’s a good sign. But in round #2, he’ll go back and try to bypass that defense to check if there’s a more complex vulnerability in place.
“My end goal for the whole engagement is to make you guys better.”
What Pentesters Find
Andreea shared this breakdown of the vulnerabilities she sees most often, many of which are referenced in the OWASP Top 10: “Some of the most common findings are Cross-Site Scripting and SQL Injections. There’s also Command Injection, which we don’t observe as often, but once it comes up, it’s pretty dangerous.”
Broken Access Control
The most common vulnerability under this category is IDOR (Insecure Direct Object Reference). Andreea explained it like this: “Let’s imagine that you have registered on a website, and when you go to change your profile settings, you notice a URL such as vulnerable.app/userid=5. You can try to change the user ID to something else. Will it allow you to see someone else’s profile, can you do any changes there? This can be prevented by checking the user’s session cookie.”
Andreea noted that Default Credentials are common in internal network assessments, because people tend to think “Oh it’s an internal network, it’s not a problem because it’s not exposed, we can keep “admin” and “adminpassword”, no one is going to get in.” That’s a mistake, as you never really know who else is there with you. Always change the passwords.
Here it’s important to validate everything your users can upload. For example, if you allow only images, you can say “I’m only checking .jpeg, .png file extensions and that’s it.” But an attacker might upload a .php.jpeg file. To prevent this, check the first bytes of a file, which tell you exactly what file type it is.
Working collaboratively with the pentesters
Cobalt Core pentesters work together with security teams throughout the engagement, not just to deliver updates, but also to keep the test productive.
For example, whenever Derek works with a SOC team directly and he’s able to access an application, he’ll work closely with them to see if their alert systems can detect any of his activity.
But rather than go in and cause unnecessary disruption to the customer’s service, Derek notes document what actions are available to him and other testers without executing anything damaging, so as not to wreak havoc and give the security team more work.
Tools and staying up to date
Here’s a breakdown of the tools our Cobalt Core presenters shared:
- BurpSuite: Intermediate proxy and scanning tool, or hackers’ swiss army knife;
- SQL Map: Tool to automate SQL Injection checks
- Nuclei: A community-powered vulnerability scanner (which Cobalt integrates with!)
Extenders & Scanners
- AuthMatrix: Burp extender to test user role privileges
- CSP Evaluator: Review CSP misconfigurations
- SSL Labs: Review data in transit
- Mobsf: All-in-one mobile security framework, supports dynamic (runtime) testing
- Frida: Runtime hooking with mobile application
- Immuniweb: Static and dynamic testing platform
- Nmap: Port scan for network discovery and security auditing
- Metasploit: Verify vulnerabilities and manage security assessments
- Impacket: Network protocol testing
- BloodHound: Attack path management solution
To stay abreast of new technologies and threats, pentesters engage with communities that focus on the same language or vertical that they’re focused on. Vanessa will find content on Twitter, Reddit or LinkedIn, or learn from A Cloud Guru.
For readers looking to add more sources to their feeds, Derek shared this list of his favorites:
Andreea also highlighted Exploit DB as a great resource where offensive security professionals submit information on new exploits they’ve discovered.
To get all the details from these pentesters’ presentations, make sure to download Vanessa’s “Into the Hacker’s Mind” white paper or watch Derek’s recording below.