Let’s imagine that your company just completed a penetration test and you are left with an assessment report from the vendor with a list of exploits and vulnerabilities to remediate. You are trying to get a full understanding of the report, so you can better determine what the next steps are and how bad (or good) the findings are.
Then, you will have to break the news to your boss. You're not sure exactly what to prioritize in terms of remediation efforts because your penetration testing provider has uncovered several high and medium vulnerabilities which all seem equally important to fix.
We’ve put together some of today’s most common pentest exploits and offer guidance on how to remediate them in an effective manner.
Related Post: Pentesting 101 – What to Know Before Conducting a Pentest
This scenario can be quite daunting but is probably familiar to many of us. After completing a penetration testing assessment, it is important to look at the report from an attacker’s perspective in order to better determine what to focus on first and what can be saved for later.
Having a better understanding of the gaps that discovered in your security application or network will help you hone in on what findings need to be fixed immediately, given their severity and impact. This should be described in the report to some extent, but it may be unclear which steps should be taken next to fix a vulnerability.
If you and your team have more knowledge on a finding, it should be easier to determine who will fix it, how difficult or easy it will be and how long it will take.
Vulnerabilities come in many different shapes and forms. We’ve put together a high-level overview of the infrastructure and application vulnerabilities that are commonly found in a pentest.
Password attacks are very common in the security industry, which is mostly due to using weak and default passwords. The worst part is that these vulnerabilities are trivial to fix yet can yield a gaping hole without it. Sometimes, an attacker doesn't need to exploit anything or think too much about an attack but can simply use a default or easily-guessable password and walk right in the front door.
This category of attacks consists of vulnerabilities on Windows, Linux and any other OS that may be in scope for an assessment. OS vulnerabilities occur when there is an OS misconfiguration in or an OS supports out-of-date applications. Think of Windows update and how frustrating it can be to maintain your system when it's trying to force close your applications for an update while you're completing work. End users can easily put off OS updates like this scenario which is why there continues to be many viable exploits for them.
Application attacks may occur on either patched or out-of-date software with security holes vulnerable to exploitation. These vulnerabilities may be publicly-known exploits that are available through various resources, or they could be zero-days (meaning they are not known by the vendor and have yet to be published). These types of attacks are common in privilege escalations and pivoting through a network.
These types are findings will be profuse on most pentest reports because it is trivial to find misconfigurations or out-of-date software on a target or network. Patches get released daily, so it only makes sense that organizations will have a hard time always keeping apps up to date on servers and user endpoints. Another common cause is when a golden image is used to create new systems and the applications on the image are out-of-date since the image isn't maintained.
This subset of attacks includes the prominent SQL and NoSQL injection attacks. These consist of inserting correct queries or characters into an application which will then be executed on the back-end database server and return a response. Successful attacks can lead to access or modification of databases, disclosing potentially sensitive information. These types attacks have come to light in recent years due to the severity and therefore are becoming more difficult to find due to patching. Keep in mind there are still many old systems and databases out there which are vulnerable to these attacks.
XSS is a type of script injection where malicious scripts are executed in a victim’s browser. Malicious scripts are sent to a victim or hidden within a vulnerable application and will execute code upon access.
There are two main types of XSS attacks:
Authentication attacks are extremely common in applications. These attacks relate to access controls around session management for a given user. Brute-forcing is one of the popular attacks which permits a malicious actor to automate password attacks to gain access to another users account by password guessing. Weak and re-used passwords is another factor which can be used by attackers to easily guess valid passwords.
Attacks that abuse authorization and broken access control vulnerabilities can often disclose unauthorized information or use an unauthorized functionality of an application. The security failure resides in invalid access controls implemented by the application which may be overly-permissive with whoever has authorization to access resources.
These issues are similar to their infrastructure counterpart mentioned above. Security misconfigurations in applications cover a wide range of vulnerabilities that can be exploited attackers. The impact could be a small information disclosure or a full compromise of the affected system. Some of the issues include verbose error messages, insufficient application security controls, default accounts and much more.
These vulnerabilities cover the use of software, libraries and frameworks which have known vulnerable components and configurations. For example, if a server is using outdated web hosting software, it may be possible for an attacker to take advantage of this if there is a known published vulnerability. Another example is exploiting an outdated version SSL/TLS which is notoriously known to be riddled with big name vulnerabilities such as Heartbleed and BEAST.
Now that we've gone through an overview of common app and infrastructure vulnerabilities, you are probably wondering how to go about actually fixing them.
There are both big and small answers to this, so we are going to just look at patching around the specific app and infrastructure vulnerabilities for now. If you want to learn more, have a look at our vulnerability management programs.
The most rudimentary way to remediate vulnerabilities uncovered in a pentest would be to check each system and update each affected component individually.
If your scope is small and you don't have the tools to automate this process, then that's fine, and in some cases it may even only be possible to do this manually. Obviously, this is not an efficient process, and software can help automate some of this process for larger organizations.
There are a multitude of patch management applications out there which aid in patch and security deployment automation that can be heavily relied upon in environments of all sizes. There is a popular product called Microsoft System Center Configuration Manager (SCCM) which enables management of Microsoft endpoint systems from a central server. Admins can easily use such tools to control the deployment of patches and updates on all types of systems.
Pentest reports often reveal very specific vulnerabilities that require manual validation and fixing. In these cases, a system may have to manually be accessed to test for a vulnerability and patch it. Depending on the size of your pentest and the number of findings, this could be a laborious effort but is a required step nonetheless. Even though it takes some time, it's important to have a process for testing and verifying a vulnerability and manually patching it.
The #1 priority is to focus on the critical and high-severity findings in the pentest report as they represent the biggest risk and may be more likely to be exploited. Determine the order of priority before moving forward because some issues may be more important to your organization than others.
As a general rule, your penetration testing provide should list the discovered vulnerabilities in order of criticality and priority to your organization.
Password attacks and default passwords should be a high-priority to critical finding as they are easily exploitable and can cause serious damage. Fixing these issues is a matter of defining a password policy within your organization and rolling out the changes to all assets for consistency and full coverage. This is a simple fix which many companies and applications fail to apply due to their lack of knowledge or complacency.
For more information, check on these password policy guidelines.
Fixing both OS and endpoint application vulnerabilities is a matter of patch management. This should occur on a schedule which best suits your organization yet is not too lenient to allow systems to go unpatched for long.
Various tools exist to manage the common operating systems, such as Windows and Linux and others that may be within your organization. It is good to note that Patch Tuesday is a monthly release of patches by Microsoft which occurs on the second Tuesday of every month. This should be used as a guideline to base your Windows patches around so that there is minimal time between Patch Tuesday and patches released to the affected assets.
Misconfiguration vulnerabilities in applications and operating systems are another common finding in pentest reports and can often require a manual effort to fix. These fixes revolve around locking down an application or OS due to over-exposed services, features or applications.
An application could have issues such as exposed directory listings or default accounts which could both be high or critical findings depending on the information disclosed. An OS with missing security patches or with exposed ports and services is another issue that will require manual validation and remediation.
Exploitation of such issues could be extremely minimal or very detrimental to the confidentiality, integrity and availability of your applications and will require constant testing to be locked down.
Injection vulnerabilities can sometimes be easy to find in an application due to the use of automated pentest tools and sometimes can produce troves of sensitive information to a malicious actor. This is why patching them can be extremely critical to the security and reputation of any organization.
Input validation is the most important control in fixing these flaws. This will allow you to sanitize user-input data, which may or may not be malicious, and have it executed gracefully within the application. These controls will help prevent user-supplied data from accessing sensitive application or database servers and potentially querying or modifying data.
For more information, have a look at this injection attack prevention cheat sheet by OWASP.
XSS attacks can usually be remediated by performing validation and character escaping on the application server. Untrusted data should never be accepted by an application which will then be saved within the HTML itself. This can aid in prevention of stored XSS and XSS injection attacks into HTML and JavaScript code.
Characters and strings that are accepted by user-input should always be escaped to prevent execution of malicious JavaScript within the application. Characters should be escaped with HTML entity encoding to prevent this. Additional code such as HTML div tags, URLs and JavaScript should also be escaped since the data is untrusted and could be malicious.
There are additional techniques which can be found within the OWASP cheat sheet on cross-site scripting prevention.
Authentication issues are profuse in many application assessments and can cause great grief.
Authentication to all services, applications, databases and anything else using credentials or access controls should all require proper authentication in a secure manner using encryption. This can revolve around password policies, password management, secure storage of passwords and data, multi-factor authentication, session management controls and much more.
It's important to be extremely diligent when it comes to authentication controls and issues since there is a lot of exposed features and services within an application that could potentially be taken advantage of.
Application authorization issues can be remediated using access controls and the principle of least privilege. This means that the design of an application or service should only permit users based on the permissions required for the functionalities of their specific role. These controls will prevent users from accessing features or executing functions which they shouldn't have access to.
Much like authentication controls, these require extreme diligence in assessing and controlling access to resources. There are several different types of access controls used for various purposes to suit different business needs. Each company is different and therefore will require their own form of granular access controls.
Fixing application vulnerable components is a matter of upgrading software or migrating from one vulnerable framework to another that is more secure.
A recent and relevant example of this is the perpetual Apache Struts vulnerabilities which have been released in recent months and years. Using vulnerable frameworks in an application can potentially lead to full compromise of the affected assets and further exploitation within the network.
Pro Tip: It is paramount to continuously patch vulnerable components and remove unused or unwanted services which aren't required.
Infrastructure and application vulnerabilities cover a lot of ground within the security management life cycle within pentest and vulnerability reports.
This is especially relevant as an organization continue to grow and are required to scale their applications and programs to stay on top of these daunting issues. Patching is a continuous life cycle that never ends, but it doesn't need to be daunting if the right program or process is in place within your organization.
It is a matter of staying on top of pentest reports and vulnerability assessment findings in a continuous life cycle to prevent attacks from unrelenting hackers.
