Scan For Security engaged in penetration testing project in gray box model for an U.S. IT product company which provides such services like consulting and products implementation. As target for testing we had web application and server in staging environment. Main goal of this project was – try to break in but during the process of penetration testing also identify as many vulnerabilities, as possible.
About the customer
United States based company which provides services and solutions (products) for Managing IT Assets, Warranties, Licenses, and Contract Renewal Lifecycles.
Aim of the project
Here was complex project, not just pentest but also vulnerability assessment. For vulnerabilities classification we used OWASP TOP10 methodology and for testing – our custom built technique based on OWASP Testing Guide.
During this project we were able to find 3 high level, 3 medium level and several low and information level vulnerabilities.
As high level figured SQL Injection with possibility to undertake the server and Cross-Site Scripting in combination with insecure cookies through which we successfully hijacked user session.
This penetration testing project was like 20% automation and 80% of manual tests execution with additional results validation. Why do we use additional results validation?
From our experience – scanners can generate huge amount of false positive results on which we can’t rely in the end and so we must validate them through manual testing and exploitation of found issues.
In the end we have sent detailed final report with clear results to the customer. Also want to mention that we support our clients on every step from project assessment to remediation plan and issues fixing based on the report results.
Some of the tools used on the project: Vega, dirb, nmap, sqlmap etc
Depending on project we may use open source software as well as custom built solutions and commercial scanners like Acunetix, Nessus, solutions from IBM and other companies.