So, I have been penetration testing for a while now. Over the years, I have seen penetration testing evolve dramatically. Back in the days, tools were not as smart as they are now. Now, we have state of art tools (burp Pro, Net Sparker, HP Web Inspect to name a few) and to be brutally honest, these tools are only going to get better as time goes by. The application frameworks are also getting better. A widespread issue such as Cross Site Request Forgery, is not as prevalent as it used to be and that’s because the application framework are getting more security conscious then they were a few years ago.
In terms of penetration testing, people are spending lot more time in checking best security practices;
So, the point is everyone now a days follows a check-list to make sure all of this gets covered. I have no issues with check-list based approach and I understand that this is done to ensure that a level of consistency is achieved. My worry is that these check-lists are growing bigger by the day and we are making Pentesting a Science and killing the Art aspect of Penetration Testing.
Penetration testing, to me has always been something which requires out-of-box thinking. My worry is, there are a number of things which you can’t document in a check-list, which are application and case specific and we need to educate the budding generation of penetration testers on this Art.
If you report 20 best security practices but miss a critical business logic flaw, then its a #FAIL;
To give you a more specific example to highlight this issue.
Assessing The Forget Password Functionality
So, these days apps send out a link with a token in it to reset your password. The link looks something like this:
What tests do you perform on this:
So, it turns out that in this 1 case, the app passes all these checks. Now, here comes the Art part. The Application validates that the token, but not quite as it should. It turns out that the application checks if the token is associate with an account on which reset password link has been generated rather than the actual email. So, in the above URL if the user ‘user2’ has not had a password reset initiated, the application will not process the request. However, if we initiate the reset process on both users (user1 and user2) then we can use the token for user1 to reset the link for user2.
So, as an attacker all you need is someone’s email address.
The bottom line is, we need to strike a balance between the Science and the Art aspect of penetration testing. I get a feeling that currently the industry is moving away from the Art Aspect and pentesting is becoming more of a science. There are a couple of good presentations to get you motivated on business logic testing (1 of them by me and an ex-colleague):
Thats my 10 cents for this week!
If you would like to try out our Penetration Testing Services, contact us here!