WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

PtaaS Roadshow Recap: Into the Hacker’s Mind

Cobalt Core members Vanessa Sauter, Derek Carlin, and Andreea Cristina Druga share insights on how to prepare for a pentest, what tools they use to stress test your assets, and the steps they take to check what vulnerabilities you’re susceptible to.

This fall Cobalt launched the PtaaS Exchange, bringing local security experts together across different major cities in the US and Germany.

One agenda item that resonated with audiences in every conference location was our session “Into the Hacker’s Mind: How Attackers Look at Your Application.” Different members of the Cobalt Core — Vanessa Sauter, Derek Carlin, and Andreea Cristina Druga — shared insights on how to prepare for a pentest, what tools they use to stress test your assets, and the steps they take to check what vulnerabilities you’re susceptible to. 

In this blog post, we’ll recap the highlights you might have missed. 

It’s All About Preparation

A successful pentest starts with a clear brief, specific objectives, and information about your application’s functions. Many might argue they want a black-box test to simulate a real attack, but the truth is — as Vanessa Sauter pointed out in her presentation in San Francisco — attackers have no time restraints, whereas pentesters are locked in a time-bound exercise. 

Black-box testing will always be part of a full pentest engagement anyway. Pentesters conduct intensive reconnaissance and will test for enumeration, authentication, and privilege escalation, despite what information is provided in the brief. 

Here’s a breakdown Derek Carlin, Lead Penetration Tester in the Cobalt Core, shared in his presentation: 

MASTER DECK [NYC] PtaaS Exchange (5)

Andreea Cristina Druga explains the reconnaissance process like this: “We’re trying to determine the organization’s network architecture, the operating systems they are running, what applications they have. We’re trying to find more information about their users, about their employees. We also try to perform DNS and Network reconnaissance, we look at their websites, what they have published, we look at their employees’ social media, trying to find out as many details as possible. And we do email reconnaissance, where we try to gather as many emails as possible from the employees in case social engineering is in scope.”

While testers collect this information, you can accelerate their efforts around more complicated vulnerabilities — think business logic flaws, abuse of exposed credentials, and inadvertent human error — by sharing the following information under an NDA: 

  • Architectural diagrams; 
  • Tech stack information; 
  • Credentials that can be leveraged to attack more sensitive parts of your infrastructure; 

With this, pentesters can more accurately capture risk for a wider attack surface, making your pentest that much more valuable. Read more about best practices on preparing for a pentest in Vanessa's latest white paper.

The Pentest is a Cyclical Process 

In Boston and New York, Derek talked about the steps he and other Cobalt Core members take throughout the pentest process. The first key takeaway: “Penetration testing is not a linear process — it’s more cyclical.”

MASTER DECK [NYC] PtaaS Exchange (6)

Here’s what he means: there will be a lot of flow mapping of the application in the enumeration and exploitation phases. He’ll look into data flow, and when clients provide diagrams in advance, he can confirm from an external perspective where he sees things are going, or rather…where they shouldn’t be. 

After a first review, he’ll move to iteration #2 and repeat a lot of the process’s steps, targeting more specific items. For example, if he’s testing input injection and Cloudflare blocks him on his first try, that’s a good sign. But in round #2, he’ll go back and try to bypass that defense to check if there’s a more complex vulnerability in place. 

“My end goal for the whole engagement is to make you guys better.” 

 

What Pentesters Find

Injection Attacks

Andreea shared this breakdown of the vulnerabilities she sees most often, many of which are referenced in the OWASP Top 10: “Some of the most common findings are Cross-Site Scripting and SQL Injections. There’s also Command Injection, which we don’t observe as often, but once it comes up, it’s pretty dangerous.”

Print Version MASTER DECK [Berlin] PtaaS Exchange

 

Broken Access Control

The most common vulnerability under this category is IDOR (Insecure Direct Object Reference). Andreea explained it like this: “Let’s imagine that you have registered on a website, and when you go to change your profile settings, you notice a URL such as vulnerable.app/userid=5. You can try to change the user ID to something else. Will it allow you to see someone else’s profile, can you do any changes there? This can be prevented by checking the user’s session cookie.”

Misconfigurations 

Andreea noted that Default Credentials are common in internal network assessments, because people tend to think “Oh it’s an internal network, it’s not a problem because it’s not exposed, we can keep “admin” and “adminpassword”, no one is going to get in.” That’s a mistake, as you never really know who else is there with you. Always change the passwords.

File Uploads 

Here it’s important to validate everything your users can upload. For example, if you allow only images, you can say “I’m only checking .jpeg, .png file extensions and that’s it.” But an attacker might upload a .php.jpeg file. To prevent this, check the first bytes of a file, which tell you exactly what file type it is. 

Working collaboratively with the pentesters

Cobalt Core pentesters work together with security teams throughout the engagement, not just to deliver updates, but also to keep the test productive. 

For example, whenever Derek works with a SOC team directly and he’s able to access an application, he’ll work closely with them to see if their alert systems can detect any of his activity. 

But rather than go in and cause unnecessary disruption to the customer’s service, Derek notes document what actions are available to him and other testers without executing anything damaging, so as not to wreak havoc and give the security team more work.

Tools and staying up to date 

Here’s a breakdown of the tools our Cobalt Core presenters shared: 

Essentials

  • BurpSuite: Intermediate proxy and scanning tool, or hackers’ swiss army knife; 
  • SQL Map: Tool to automate SQL Injection checks 
  • Nuclei: A community-powered vulnerability scanner (which Cobalt integrates with!)

Extenders & Scanners 

  • AuthMatrix: Burp extender to test user role privileges
  • CSP Evaluator: Review CSP misconfigurations
  • SSL Labs: Review data in transit

Mobile Testing

  • Mobsf: All-in-one mobile security framework, supports dynamic (runtime) testing
  • Frida: Runtime hooking with mobile application
  • Immuniweb: Static and dynamic testing platform

Network Testing

  • Nmap: Port scan for network discovery and security auditing
  • Metasploit: Verify vulnerabilities and manage security assessments
  • Impacket: Network protocol testing
  • BloodHound: Attack path management solution

To stay abreast of new technologies and threats, pentesters engage with communities that focus on the same language or vertical that they’re focused on. Vanessa will find content on Twitter, Reddit or LinkedIn, or learn from A Cloud Guru.

For readers looking to add more sources to their feeds, Derek shared this list of his favorites:

Untitled

Andreea also highlighted Exploit DB as a great resource where offensive security professionals submit information on new exploits they’ve discovered. 

To get all the details from these pentesters’ presentations, make sure to download Vanessa’s “Into the Hacker’s Mind” white paper or watch Derek’s recording below. 

Back to Blog
About Vasilena Stamboliyska
Vasilena Stamboliyska is a Senior Manager of Content Marketing at Cobalt. She leads content creation for Cobalt’s industry-leading digital resources by aligning closely with internal and external security subject matter experts to bring impactful stories to life. She oversees multiple high-impact content initiatives, including Cobalt's yearly State of Pentesting report, Caroline Wong's latest publication, "The PtaaS Book," and her "Humans of InfoSec" podcast. Vasilena's drive for data-driven and compelling narratives has helped Cobalt share proprietary pentesting data, as well as highlight upcoming challenges in the cybersecurity community and how teams can work to solve them. More By Vasilena Stamboliyska
The Human Side of Security: CISOs Share Their Stories
Three CISOs share how they started, what challenges they faced, and what others can learn from their experiences.
Blog
May 16, 2022
The Fifth Edition State of Pentesting Report: Preview
The State of Pentesting 2023 drops on April 12th — get a taste of the report with this sneak peek, and sign up to receive it in your inbox on launch day.
Blog
Apr 4, 2023
Pentests in Risk Assessments: When, Why, How
Find your vulnerabilities, determine the risk, and outline remediation — pentests can do all of this in support of your risk assessments.
Blog
Feb 14, 2023