Common vulnerabilities found in penetration testing

July 14th, 2023 Posted in Penetration Testing

You want to improve your organisation’s security posture; you’ve done some googling and you’ve no doubt stumbled upon penetration testing services as a form of securing your data. Seems straightforward enough, but how do you know you’re going to get the right service for your system or applications, and what are the common vulnerabilities found in penetration testing that you should expect a good tester to find?

If you are unfamiliar with what weaknesses a threat actor can exploit in your systems, applications or infrastructure, don’t worry – we’re here to help.

It can be difficult to know where to start if your organisation has never had a penetration test before. In this blog post, we will guide you through what you need to know before you approach a penetration testing services provider and the common vulnerabilities that can be uncovered. You can also download a free copy of our Guide to Penetration Testing here.

How do you know what needs to be tested?

An important part of the pen testing preparation process is to determine what you need to be tested – you can learn more here about scoping a penetration test. Threat actors often focus on a company’s public-facing assets, such as APIs (Application Programming Interface), websites, and applications, that are accessible over the internet. These assets are primarily designed for interacting with customers and partners, which makes them an alluring target.

Criminals can take advantage of several vulnerabilities, such as weak authentication mechanisms, outdated software, and unsecured APIs, to gain access to sensitive data, compromise the system, and carry out malicious activities. Having a clear understanding of the common vulnerabilities to look out for is essential to ensure that the penetration test meets the security conditions of your organisation and is conducted efficiently.

So, let us get to the nitty gritty, what types of weaknesses should you expect your penetration testing partner to find during your vulnerability scanning and pen test?

External infrastructure & common vulnerabilities

In today’s digital age, where public-facing assets such as websites, applications, and APIs are common, an organisation’s external infrastructure is particularly vulnerable to attacks as it is accessible over the internet and so external infrastructure penetration testing is crucial in an organisation’s security strategy.

Some of the commonly found vulnerabilities during external infrastructure penetration testing may include:

Misconfigured security devices and firewalls: It is no secret that firewalls are an essential part of network security, but these can be easily misconfigured. Flaws such as these give unauthorised access to data and or functionality within a system. In fact, according to Gartner, research suggests that “99% of firewall breaches will be caused by misconfigurations, not flaws”.

All too often, the person responsible within an organisation to configure firewall settings, chooses the wrong access control, leaving the firewall open to exploitation. Configuring firewalls takes meticulous planning and is best done by an expert. However, even the properly configured firewalls can still be left vulnerable if it is not audited regularly.

Setting firewalls is not a set-and-forget task, and can lead to major breaches, unplanned downtime in operations and in some cases fines for noncompliance in industries such as healthcare and finance.  It is also imperative to ensure no security patches from the firewall provider are missed.

Read our blog on cloud penetration testing

Unpatched software: A common vulnerability that cybercriminals exploit, and a widespread problem in today’s digital age. Unpatched software is known as a vulnerability that has not yet been addressed through the development of additional code (“patch”). Software developers have a responsibility to detect any weaknesses in their software, and to remediate this by acknowledging the vulnerability and releasing patches to ensure all users have the ability to update the system and mitigate any potential exploits.

Leaving software unpatched becomes a problem and creates security risks. Automated patching can help to remediate threats, but it is advised that organisations ensure they have a robust patch management process in place. This should include an audit procedure to detect any vulnerabilities in order to deploy the relevant patches.

Weak authentication mechanisms: Most vulnerabilities in authentication mechanisms happen in one of two ways. Threat actors can use brute-force attacks to guess passwords, or they can bypass the authentication completely due to poorly coded implementation or through Logic Flaws in the web development, which can cause a website to behave unexpectedly.

Either way, vulnerabilities in authentication can have a devastating impact on an organisation. When a threat actor has their way into an account, they then have access to all the sensitive data that account may hold. Furthermore, if the account they get into is a system admin, they can then take over the whole application and gain access to the network infrastructure.

Inadequate logging and monitoring: Without proper logging and monitoring, an organisation cannot detect and respond to security incidents, leaving them vulnerable to cyberattacks. According to OWASP insufficient logging and monitoring is the cause of nearly every major cyber incident.

What do we mean by insufficient logging? Events such as failed logins, high-value transactions not being logged, warnings or errors that have been generated by the system, apps and APIs not being monitored are all events that should be logged and stored (and not only stored locally!).

The importance of regular infrastructure penetration testing

It is essential to note that the list of vulnerabilities mentioned above is not exhaustive, and each engagement can reveal different vulnerabilities. However, regular external and internal infrastructure penetration testing provides organisations with an in-depth understanding of their security posture and enables them to detect and address vulnerabilities proactively, reducing the risk of successful attacks and safeguarding their assets and reputation. A team of experts such as Evalian, employs various tools and techniques to discover vulnerabilities that attackers could exploit.

Find out how we can help you with securing your external & internal infrastructure through our CREST-accredited penetration testing services.

Web apps & common vulnerabilities

The use of web applications has become ubiquitous in the modern business landscape as they offer an easy-to-use means for customers to access products and services. It comes as no surprise then that web applications have become prime targets for cyber-attacks.

Web application penetration testing involves assessing the security of an application by mimicking a real-world attack on it. This kind of testing is imperative as web applications are often the primary targets for attackers, and any vulnerability can be exploited to gain unauthorised access to critical information or to execute malicious code on the server.

What kind of common vulnerabilities can you expect to find in your web app testing?

SQL Injections: One of the most prevalent vulnerabilities discovered in web application assessments is the SQL injection vulnerability. What are injection flaws? Injection flaws refer to a range of attacks in which a threat actor submits unexpected inputs into a web application.  In an SQL injection attack, a threat actor will inject an SQL query through the input of data from the browser to the application. If successful, the attacker may be able to access and alter sensitive data from the client’s database and, in some cases, execute administrative commands.

The injection vulnerability category is currently in third place in the  OWASP Top 10 and the flaws are classed as one of the most prevalent risks in web applications today.

SQL injection attacks pose a significant risk since they can result in data breaches, the theft of sensitive information, or full system compromise.

Another form of injection attack is known as…

Cross-site scripting (XSS): This vulnerability occurs when an attacker can inject malevolent scripts into an application’s web pages, which can be executed on a user’s browser. The script is aimed at the content of the web application, to manipulate or exploit the data and functionality within it. It is then distributed to the browsers of the users who engage with the web app. This can be achieved through various means, such as through a malicious link, a fake web page or a weak component in the application itself.

The script can be hard to detect, hidden in the normal functionality of the web application, and so the users who have received the script will be completely unaware. If the malicious script is successful, it can enable the threat actors to gain access to the website data, steal credentials, access cookies, and, in some cases, take control of the user’s account, performing actions on their behalf, such as the manipulation of sensitive data.

Insecure file uploads: File upload vulnerabilities happen when an application fails to properly validate file uploads, permitting attackers to upload malicious files that can be executed on the server. Given the obvious risks of file upload vulnerabilities, developers tend to ensure restrictions are in place over what users are permitted to upload to a website. However, as with any development code, there is the potential for flaws.

Failing to restrict the types of files and contents that are allowed could mean that even a simple image upload can potentially be used to upload damaging files instead, such as server-side script files that could enable external codes. If a threat actor successfully uploads a web shell – a malicious script enabling the execution of remote commands – then they have full control over a server.

Broken authentication and session management vulnerabilities: This type of vulnerability is listed in OWASP (A2:2017). The attack vector is identified as threat actors having access to valid username and password combinations, admin account lists, brute force, and dictionary attack tools. Cybercriminals can detect broken authentication manually, and then use automated tools to take advantage of it.

A session is referred to as a series of events associated with the user over a specific period. When a user logs into a system, they are given a session ID, which a threat actor can then hijack, and gain access to a system.

These types of attacks are achieved by using some common attack techniques which you will have heard of, such as Phishing, credential stuffing or password spraying. The alarming reality is that the threat actor only has to gain access to a handful of accounts or only one admin account in order to get into the system, allowing plenty of opportunities to exploit sensitive data such as identity theft or money laundering.

Regular web application penetration testing is crucial in preventing security vulnerabilities. Organisations must consider that as technology advances, so do the methods used by cybercriminals, making it necessary to regularly evaluate and strengthen their security defences.

Finding your Pen Test partner

So you’ve got a basic understanding of what vulnerabilities could be found within your systems, and you have an idea of the scope of your testing, the next – and arguably the most important – step is to choose a reputable and experienced penetration testing provider that gets you the most value for your money (see our recent blog on penetration testing costs). How?

We’ve broken it down in a recent more detailed blog post, into four main steps when it comes to considering a good penetration testing services provider. We always advise ensuring you choose someone with the relevant credentials – CREST (Council for Registered Ethical Security Testers) for example, is the gold standard in pen testing, and we would recommend always picking a company that is accredited. Checking for reviews and case studies is also a crucial step and making sure that you find a provider that can provide a long-term service in order to be able to build a strong relationship and one whom you can trust.

Conclusion

CREST accredited Penetration testing is a critical practice for any business that wants to safeguard its digital assets and reduce the risk of cyberattacks. By simulating an attacker’s activities, penetration testing can help identify vulnerabilities and weaknesses in an organisation’s security posture, allowing them to address them before malicious actors exploit them.

If you are new to penetration testing, it is essential your organisation understands the type of attack vectors that are possible within your systems and finds a reputable and experienced provider who can guide you through the process and help you scope the test to meet your specific needs. Regular penetration testing is particularly crucial in today’s digital age, where public-facing assets are common and vulnerable to attacks.

At Evalian, we understand the importance of penetration testing, and indeed having a provider that you trust and have full transparency with. Our team of experienced testers is committed to delivering comprehensive and effective testing to help you identify and address any potential security risks. So, let us help you protect your assets and reputation by conducting regular penetration testing and enhancing your overall security posture. Remember, the best defence is a good offence, and in cybersecurity, that means regular penetration testing.

Want to discuss penetration testing services?

Evalian Icon PNG

Written by Evalian®