Inside Penetration Testing
Part II: Navigating Common Vulnerabilities & Challenges
In this second chapter, our pentester will uncover some of the most common vulnerabilities encountered and reflect upon the daily challenges faced during an application pentest. However, this raises the question of whether there are indeed common vulnerabilities, given we discussed the uniqueness of each application in the first part.
The answer is yes. Certain aspects of applications provide pentesters with recurring exploitable flaws. For web applications, the most common vulnerability is IDOR (Insecure Direct Object Reference), which enables an attacker to access, edit, or delete resources from users or organizations. Another frequently flawed aspect of applications lies in their functionalities, especially in file uploading. In most cases, a poorly implemented file upload feature results in a remote code execution vulnerability, allowing the attacker to control the entire website
For networks, the weak link often lies closer to home – the printer. It frequently serves as an initial gateway for a pentester to access devices. Password reuse, especially with admin passwords on client computers, is another common flaw. When a pentester gains access to a device (e.g., through a printer) as an admin, they will try to retrieve all accessible passwords and start conducting password spraying on other network-connected computers (testing all retrieved passwords on every possible computer)
But not every project is as straightforward as it seems. Pentesters can face many challenges when dealing with more secure applications. Standard methods may not work, requiring adaptation. This circles back to the first part, where understanding the application thoroughly was emphasized. Every request will need to be reanalyzed and tested (especially IDORs) to identify as many vulnerabilities as possible. Sometimes, they must look at the application from a different perspective or delve deeper to identify more flaws.
Hard work is essential because each critical find underscores the importance of a pentest. Consider the following examples to illustrate its significance: If a website is not properly secured, an unauthorized person could take control of it, accessing, editing, or deleting its content. Such findings need not be critical; even an IDOR could have severe repercussions. Another example is URL tampering after receiving a fine, where you could allocate the penalty to someone else.
In network pentesting, crucial finds can lead to gaining control over the domain controller. This grants control over every machine connected to the network. When unethical hackers achieve this, it is game over. They can deploy ransomware, making recovery for the company extremely difficult. The financial impact can be devastating.
Final Thoughts
In conclusion, while there are many easy vulnerabilities to exploit, numerous challenges also arise. Ultimately, the company that does not undergo a pentest remains at risk, as its vulnerabilities will eventually be exploited by hostile attackers, rather than being exposed by a pentester.
Spinae Security Specialists Are Here to Help
Relying on the right technology, also applies for companies you cooperate with. At Spinae, we aim to earn your trust by giving you accurate and realistic cybersecurity advice. With our approach and perseverance we want to showcase how committed we are in keeping your company secure. Find out more about application pentesting here: IT Security Penetration Tests – Spinae
If you’d like to learn more about cybersecurity or how we can assist your company, feel free to reach out to us: https://spinae.be/contact
About the author
Timo De Clercq is our lead application pentester at Spinae. As a teenager he started developing his own applications and immediately found out that things could be used in other ways than intended when not being careful. He got his degree as Cyber Security Professional at Howest University College Brugge, Belgium and started his professional career as security researcher at Howest University College. He later came on board at Spinae as our lead application pentester. In his free time, he is a bounty hunter on several cyber security bounty hunting platforms.