In Louisville, Kentucky next month at Derbycon, Daniel Crowley and I will be giving our presentation Vulnerability Spidey Sense - Demystifying PenTesting Intuition. The point of the talk will be that little mistakes and small vulnerabilities in a web application can give pointers to an attacker about where to focus their efforts. As penetration testers, we aren’t fortunate enough to have an unlimited amount of time to review the security of an application, yet malicious attackers have as much time as they need to exploit a security hole. By paying attention to detail and focusing our efforts on the places that vulnerabilities are most likely to be found, we can attempt to close the gap between PenTester and attacker.
Here are some examples that might indicate further vulnerabilities in an application.
Weak password policies and security questions
Allowing users to choose weak passwords can allow an easy brute-forcing opportunity for an attacker; and weak security questions, such as prompting for the user’s birthday, can be discovered through basic investigation into a user through social media. However, bad policies such as these can also indicate that the developer of an application does not understand some security best practices, and could lead to other findings deeper in an application.
Test pages and default content
Before moving an application over to production, all test pages and default content (the phpinfo page, for example) should be removed from the web server. Default pages can be used to reconnaissance an application, and in some cases even provide additional functionality that may be useful to an attacker. Test pages that were created during the development process, even if their function doesn’t prove useful to an attacker, may not be help to the same level of scrutiny from a security perspective that other portions of the application are held, providing a useful gap in the applications security for an attacker to exploit. Finding these items may also indicate that there is additional content to be found if examined carefully.
Seeing an application that is written in ASP, or is running on IIS 5 or 6 should set off immediate warning bells during a penetration test. Seeing old technology that is still in use can be a strong indication that an application is vulnerable to old or well-known vulnerabilities. Experience or a little research can help you find well documented vulnerabilities and instructions for how to exploit them.
By watching for indicators such as these, a PenTester can more easily prioritize their tests and focus on the aspects of a system that are most vulnerable. Daniel and I will be discussing these, and many other warning signs that an application is ripe for an attack, this year at Derbycon.