Updated: Feb 6, 2020
What Pen Tests Reveal: The Top 3 Findings
The hacking industry is alive and well in 2018, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in recently as well as insight into prevention.
10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. - Curt Jeppson, Former VP of Information Security at United Online.
The winner… drum roll please… for the most commonly exploitable vulnerability in recent penetration tests:
# 1 – SQL Injection
The runners up were, in this order:
#2 - Cross-site Scripting (XSS)
#3 – Mis-configured Server Settings
No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. For more insight regarding these vulnerabilities and associated prevention, I turned to long-time friend and associate, Curt Jeppson, Former VP of Information Security at United Online.
With his help, I’ve categorized prevention and insight into these categories as follows:
SQL Injection (SQLi)
If in 20 penetration tests, you are able to successfully exploit a SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. Says Jeppson, "If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought." No wonder it still ranks as #1 on the OWASP top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploit.
SQLi is easy to fix too. The best way to do this is to use a safe API which provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn't available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.
Cross-site Scripting (XSS)
19 of the 20 penetration performed had one (or many) XSS vulnerabilities - either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well- crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.
Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.
The escaped input should also be paired with another whitelist of acceptable input.
Mis-configured Server Settings
This one is so easy to prevent, and yet can cause a lot of damage if in place. Says Jeppson, “Many of the websites I looked at allowed for me to "retrieve" sensitive information through custom crafted URL queries. I had one site that allowed me to browse to protected web content just by inputting some special characters after the URL. Another site allowed for me to see who was logged into the server at the time.” Now there’s a playground for hackers.
Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The Open Web Application Security Project, or OWASP, has some great guides to configuring a server correctly here: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration.
These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying to PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities. This is at minimum an annual best practice!
An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.