Pentesting vs. Vulnerability Assessment in Typical Application Scenarios: Analogies, Differences, Failures & Opportunities1. Introduction
The increase of internet connectivity brought a kind of confusion to several e-commerce industries as many vital vulnerabilities that have caused them a huge damage in their systems, have been identified as a web application vulnerabilities. These security breaches found by conducting pentesting or vulnerability assessment test (scanning). The security holes in web applications may cause a theft of confidential data, modify information or even more affect the availability of web applications. The vulnerabilities that will be discussed are Cross-Site Scripting, SQL injection, Cookie/Session Poisoning, Buffer Overflow, and Security Misconfiguration. Then, the two terms penetration testing and vulnerability assessment have been described, which are a systematic security analysis of information systems.Vulnerability assessment is an automated solution which can run tests anytime from anywhere and look on known vulnerabilities. While penetration testing is the process of finding system's weaknesses and exploit it by performing either manual or automated testing on a computer system. Thereafter, showing the differences of both terms pen-testing and vulnerability assessment, provide companies with a wider vision to make choosing the type of test they are aiming for more convenient, in order to measure their security level. Moreover, showing a specific pen-testing tool (Metasploit) which is easier to use than other tools, because of its features and the built-in tools that provide a variety of services for testers. Finally, the growth of web application exposures may lead security professionals to have different view and improvement ideas about the tools they use to conduct their tests, to close security holes and provide systems with a high level of security in the future.2. Web Application Vulnerabilities
Web application threats are not only based on URL attacks or a particular port, nor on worms or viruses and known security breaches in application servers, but on security holes in the applications themselves. Web applications can be compromised from anywhere in the world, attackers aiming to make these applications vulnerable. This paper will briefly describe some of the most significant vulnerabilities in web applications.
3. Penetration Testing
- SQL-Injection: SQL injection is one of the most dangerous web application vulnerabilities that allow attackers to manipulate and submit a SQL queries to retrieve sensitive information from the back-end database. This information accessed by attackers can leads to serious problems as they can create, update, alter, read, or delete data stored in the database.
- Cookie/Session Poisoning: Cookies are used to simulate a stateful experience for the user by web applications. This attack provides attackers with sensitive credentials and easily can be modified to get unauthorized access to another user identity.
- Buffer Overflow: Buffer overflow vulnerability take control in the remote network penetration vulnerabilities field, and has been the most common vulnerability in past ten years. This attack overwrites on the memory to reach its maximum, in order to compromise an application. Moreover, this can result to a more threatening action that allows a hacker to upload an executable malicious code on the server such as Slammer virus.
- Security Misconfiguration: This vulnerability can happen at any level of an application stack, including application server, platform, web server, custom code, and framework if the entire stack is not configured properly (EC-Council, 2013). It is important to choose a secure configuration to prevent an attacker to tamper with application files and to have the ability to configure the possible vulnerabilities (e.g. files without access permissions, firewalls with an incomplete rule set, or weak user account passwords) (CPNI, 2008).
Penetration testing is a method of testing the security level of an application, network, or system. It also evaluates services to identify flaws, weaknesses, and vulnerabilities. The main difference between penetration tester and a hacker is the permission given to the pen-tester from the owner of the computing resources. There are two different types of penetration testing which are network infrastructure testing and application testing. A network infrastructure testing usually conducted internal tests within the corporate information systems assets, workstations, and servers. Externally, against servers and supporting infrastructure.3.1 Penetration Testing Process
4. Vulnerability Assessment:
- Planning and Preparation: In order to make a successful penetration test, planning and preparation phase would be the most critical part in the test process. It is also vital to keep all information obtained during the test as confidential.
- Information Gathering: In this step, analysis different areas of the target system or network are required, such as physical and logical areas to identify all the information about the discovered vulnerabilities. This information will create better knowledge to act upon in the next step of testing. This phase can be conducted using different tools, such as Nmap, Nikto, Nessus, Metasploit, etc.
- Vulnerability Analysis: An analysis will be done depending on the previous step information results, to determine vulnerabilities that might occur in the web application. In this step, several vulnerabilities will be examined. For instance, web server vulnerabilities, input-based vulnerabilities, authentication vulnerabilities, and function specific vulnerabilities.
- Exploiting Vulnerabilities: After the analysis and determining the vulnerabilities that might exist on the application, the testers should have gained a good knowledge and ideas about the targeted areas that will be exploited. However, knowing the existence of a vulnerability does not mean that it can be easily exploited. Therefore, the quality of a penetration test is primarily depending on the creativity level of the tester's approach.
Vulnerability assessment or scanners are automated and manual processes that cover open source, internally developed tools, and commercial tools, to identify the "law-hanging" vulnerabilities. The assessment begins by performing a footprint analysis to pinpoint what services and/or programs running on the target network. Then the tools attempt to enumerate targets to exploit discovered vulnerabilities in the services or programs software versions, and to report what they have discovered.5. Penetration Testing vs. Vulnerability Assessment
The two terms penetration testing and vulnerability assessment are widely agreed as the most significant components of information security. However, when it comes to describing the relationship between both terms, it creates an area of confusion as they involve an intensive and proactive attempt to discover security breaches that might have a negative influence on an organization's systems.6. Vulnerability Analysis Tools
It is a little bit confusing when it comes to choosing the best tool to perform a scan or analysis, especially with the variety of available tools in the information security environment that provide almost similar services. However, there is always a tool that has many features which make it more preferable by security professionals. For instance, Metasploit framework provides many services more than any other tools. Metasploit is a platform that creates security tools and exploits. It has been used to perform a penetration testing by network security professionals and to verify patch installation by system administrators. It is an open-source tool and it supports different operating systems, such as Windows, Linux, and UNIX based OS. What makes using Metasploit easier than other tools are the multiple user interfaces and the powerful built-in exploitation tools. Moreover, Metasploit is loaded with a thousand exploits, multiple encoders, and hundreds of payloads.7. Future Advances
The rapid increase of technology provides users with high technological services. However, it is becoming more serious when talking about securing these technologies. Thus, companies should take information security more seriously. Recently, very high-tech companies such as Apple, Sony, and Snapchat have been compromised by a different group of hackers. Although, Apple for instance, mentioned in the iCloud security and privacy overview that users data are encrypted and saved in an encrypting format on iCloud servers. Moreover, it provides secure data transmission that prevents users from unauthenticated access. Surprisingly, at the beginning of New Year 2015, a new tool has been invented by a group of hackers that allows attackers to get through iCloud accounts using a tool called "iDict", which is available online for free and that what makes it more dangerous. Therefore, it would be more efficient creating new pen-testing tools that combine wider features and specifications, that can perform the first line of defense for systems and reduces the risk of being compromised.8. Conclusions
To conclude, it is significant to know the discrepancy between penetration testing and vulnerability assessment. This paper described the most common vulnerabilities that might cause serious problems to web applications, as it stated the top five web application vulnerabilities. Moreover, it illustrated vulnerability assessment and penetration testing and its process. Therefore, because of the variety of tools that could be used in vulnerability scanning, the paper emphasized on one tool which is Metasploit that has many features which make it more preferable by penetration testers as it has an enormous amount of built-in exploits and payloads. Finally, due to the increase of cyber-attacks, it is predicted that an improvement of the tools used to test systems could combine several features to perform with a high level of security to block some sophisticated attacks.