Penetration Testing

What is Penetration Testing ?

A penetration testing, also known as a pen testing, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).

Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.

Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.

Penetration Testing Stages

Penetration testing or pen testing process can be broken down into those stages.

Penetration Testing Methodologies

Web Application Penetration Methodology

To carry out penetration tests, iSec developed a penetration test methodology inspired by the OWASP standards and customized it in order to achieve compatibility with the quality of service required. iSec’s comprehensive method covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10, including, but not limited to injection, cross-site scripting, cross-site forgery, unvalidated redirects or forwards, broken authentication, session management, security misconfiguration, insecure direct object access, and more. This approach can be summed up

Step One – Discovery:

1.Retrieve the banners of network services and identify types and versions of software installed on the target Browse sites in their entirety in order to identify the different pages that are accessible directly (using the links on the main page) and indirectly

2.Using tools for enumeration of resources to identify the service provider or hidden but accessible resources that may contain relevant information in the context of the audit. Identify management and administration services

3.Use the Internet or internal SEO services such as search engines to identify all relevant information in the context of the audit (old resources or site structures, discussions on setting up the service in technical forums, configuration information, or user accounts stored on collaborative services such as shared calendars

 Step Two - Vulnerability identification:

The objective of this activity is to identify security loopholes in different components of the network. With the profile of the target network, the security posture of the network segment (as a whole) is evaluated by passively and actively testing all the connection points of the network hosts on that network, and by identifying potential vulnerabilities exposed by these targets.

Broken Access Control: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

Cryptographic Failures: Determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS).

Injection: Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs to hostile data. Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection.

Insecure Design: Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top 10 risk categories.

Security Misconfiguration: The application might be vulnerable if the application is Missing appropriate security hardening across any part of the application Unnecessary features are enabled or installed Default accounts and their passwords are still enabled, etc.

Vulnerable and Outdated Components: You are likely vulnerable if you do not know the versions of all components you use. If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

Identification and Authentication Failures: Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.

 

 Step Three - Exploitation and Analysis:

 

In this step, vulnerabilities/security observations from the previous phase are analyzed and/or exploited. The detected vulnerabilities are exploited and infiltration attempts to the internal systems are carried out after getting proper approval from the Client’s trusted agent.

Tasks The objective of this activity is to exploit the identified vulnerability. the vulnerabilities are found to be exploitable, this information is communicated to the Client’s trusted agent and an approval to exploit is obtained from the Client.

 

After cross-referencing and verifying vulnerabilities identified against databases of known vulnerabilities, these vulnerabilities are actively tested further to provide aggregation launch points. A series of sophisticated tests then follows, where the team leverages extensive experience and attack profiles, test scripts, and exploit programs to attempt to compromise the security of the target environment.

        Analyze the vulnerabilities in order to identify the exploitation and infiltration steps that can be performed.

        Communicate the exploitation activity with the trusted agent and obtain the confirmation before performing the actual exploitation steps on the target environment.

        Perform exploitation steps.

        Analyze the exploited vulnerabilities in order to identify the scope of infiltration.

        Record steps and results in Exploitation Details.

 

 Step Four – Reporting:

The objective of this step is to create a detailed technical report and management executive summary detailing the activities performed and the security vulnerabilities and observations identified on the target operating system environment. The reports are prepared based on the format agreed upon by iSec SBA and the Client. The final report will mainly include the following:

  • Vulnerability name and description
  • Action performed on the target environment and its result.
  • The root cause of the vulnerabilities identified.
  • Severity Rating.
  • Mitigation steps.
  • Effort to fix the vulnerability.

Mobile Application Penetration Methodology

To carry out penetration tests, iSec developed a penetration test methodology inspired by the OWASP standards and customized it in order to achieve compatibility with the quality of service required. iSec’s comprehensive method covers the classes of vulnerabilities in the Mobile Application Security Project (OWASP) Top 10, including, but not limited

Vulnerability identification:

The objective of this activity is to identify security loopholes in different components of the network. With the profile of the target network, the security posture of the network segment (as a whole) is evaluated by passively and actively testing all the connection points of the network hosts on that network, and by identifying potential vulnerabilities exposed by these targets.

  • Improper Platform Usage: The exposed service or API call is implemented using insecure coding techniques that produce an OWASP Top Ten vulnerability within the server.

  • Insecure Data Storage: Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s file system and subsequent sensitive information in data stores on the device.

  • Insecure Communication: Mobile applications frequently do not protect network traffic. They may use SSL/TLS during authentication but not elsewhere. This inconsistency leads to the risk of exposing data and session IDs to interception.

  • Insecure Authentication: Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app.

  • Insufficient Cryptography: In order to exploit this weakness, an adversary must successfully return encrypted code or sensitive data to its original unencrypted form due to weak encryption algorithms or flaws within the encryption process.

  • Insecure Authorization: To test for poor authorization schemes, testers can perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege while the mobile app is in ‘offline’ mode.

Manual vs. Automated Penetration Testing

Our approach consists of approximately 80% manual testing and 20% automated testing – actual results may differ slightly. While automated testing enables efficiency, however, it is efficient only during the initial phases of a penetration test. At iSec, we believe that an effective and thorough penetration test can only be realized through meticulous manual testing techniques.

Our Tools
Our Reporting

IDENTIFY SECURITY FLAWS IN THE ENVIRONMENT.

To perform a comprehensive real-world assessment, iSec utilizes commercial tools, internally developed tools, and the same tools that hackers use on every assessment. Once again, we intend to assess systems by simulating a real-world attack and leverage the many tools at our disposal to effectively carry out that task.

UNDERSTAND RISK LEVEL FOR YOUR ORGANIZATION.

We consider the reporting phase to mark the beginning of our relationship. iSec strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverables. We provide clients with an online remediation knowledge base, dedicated remediation staff, and ticketing system to close the ever-important gap in the remediation process following the reporting phase.

TOP