Ready to Start Your Career?
By: Joul Kouchakji
October 20, 2016
Pentesting vs. Vulnerability Assessment in Typical Application Scenarios
By: Joul Kouchakji
October 20, 2016
Pentesting vs. Vulnerability Assessment in Typical Application Scenarios: Analogies, Differences, Failures & Opportunities1. IntroductionThe increase of internet connectivity brought a kind of confusion to several e-commerce industries as many vital vulnerabilities that have caused them a huge damage in their systems, have been identified as a web application vulnerabilities. These security breaches found by conducting pentesting or vulnerability assessment test (scanning). The security holes in web applications may cause a theft of confidential data, modify information or even more affect the availability of web applications. The vulnerabilities that will be discussed are Cross-Site Scripting, SQL injection, Cookie/Session Poisoning, Buffer Overflow, and Security Misconfiguration. Then, the two terms penetration testing and vulnerability assessment have been described, which are a systematic security analysis of information systems.Vulnerability assessment is an automated solution which can run tests anytime from anywhere and look on known vulnerabilities. While penetration testing is the process of finding system's weaknesses and exploit it by performing either manual or automated testing on a computer system. Thereafter, showing the differences of both terms pen-testing and vulnerability assessment, provide companies with a wider vision to make choosing the type of test they are aiming for more convenient, in order to measure their security level. Moreover, showing a specific pen-testing tool (Metasploit) which is easier to use than other tools, because of its features and the built-in tools that provide a variety of services for testers. Finally, the growth of web application exposures may lead security professionals to have different view and improvement ideas about the tools they use to conduct their tests, to close security holes and provide systems with a high level of security in the future.2. Web Application VulnerabilitiesWeb application threats are not only based on URL attacks or a particular port, nor on worms or viruses and known security breaches in application servers, but on security holes in the applications themselves. Web applications can be compromised from anywhere in the world, attackers aiming to make these applications vulnerable. This paper will briefly describe some of the most significant vulnerabilities in web applications.
- SQL-Injection: SQL injection is one of the most dangerous web application vulnerabilities that allow attackers to manipulate and submit a SQL queries to retrieve sensitive information from the back-end database. This information accessed by attackers can leads to serious problems as they can create, update, alter, read, or delete data stored in the database.
- Cookie/Session Poisoning: Cookies are used to simulate a stateful experience for the user by web applications. This attack provides attackers with sensitive credentials and easily can be modified to get unauthorized access to another user identity.
- Buffer Overflow: Buffer overflow vulnerability take control in the remote network penetration vulnerabilities field, and has been the most common vulnerability in past ten years. This attack overwrites on the memory to reach its maximum, in order to compromise an application. Moreover, this can result to a more threatening action that allows a hacker to upload an executable malicious code on the server such as Slammer virus.
- Security Misconfiguration: This vulnerability can happen at any level of an application stack, including application server, platform, web server, custom code, and framework if the entire stack is not configured properly (EC-Council, 2013). It is important to choose a secure configuration to prevent an attacker to tamper with application files and to have the ability to configure the possible vulnerabilities (e.g. files without access permissions, firewalls with an incomplete rule set, or weak user account passwords) (CPNI, 2008).
- Planning and Preparation: In order to make a successful penetration test, planning and preparation phase would be the most critical part in the test process. It is also vital to keep all information obtained during the test as confidential.
- Information Gathering: In this step, analysis different areas of the target system or network are required, such as physical and logical areas to identify all the information about the discovered vulnerabilities. This information will create better knowledge to act upon in the next step of testing. This phase can be conducted using different tools, such as Nmap, Nikto, Nessus, Metasploit, etc.
- Vulnerability Analysis: An analysis will be done depending on the previous step information results, to determine vulnerabilities that might occur in the web application. In this step, several vulnerabilities will be examined. For instance, web server vulnerabilities, input-based vulnerabilities, authentication vulnerabilities, and function specific vulnerabilities.
- Exploiting Vulnerabilities: After the analysis and determining the vulnerabilities that might exist on the application, the testers should have gained a good knowledge and ideas about the targeted areas that will be exploited. However, knowing the existence of a vulnerability does not mean that it can be easily exploited. Therefore, the quality of a penetration test is primarily depending on the creativity level of the tester's approach.