Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall




Episode #94 - Web Application Penetration Testing 101

Web applications are drastically different and like anything, are prone to vulnerabilities. Application penetration tests come in all shapes and sizes, some good, some bad, and some are not even penetration tests at all. This week, the guys share their insights about Web Application Penetration Testing and get what you need out of your next test! Do not miss this episode if you are planning a web application penetration test for the first time! 

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

US RESTRICT Act Gains Support, Empowers president to Ban Foreign Tech

SA issues emergency cybersecurity mandates for aviation sector

National cyber strategy wants to redirect responsibility from users to manufacturers

Info stealer targets Facebook business accounts to land sensitive data

AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security

Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears

US CISA added actively exploited flaws in Teclib GLPI, Apache Spark, and Zoho ManageEngine ADSelfService Plus to its Known Exploited Vulnerabilities Catalog

VMware NSX Manager bugs actively exploited in the wild since December

Veeam fixes bug that lets hackers breach backup infrastructure

Fortinet warns of new critical unauthenticated RCE vulnerability

DuckDuckGo launches AI-powered search query answering tool

Royal ransomware attacks spreading across critical infrastructure

Acer discloses a new data breach, 160 GB of sensitive data available for sale

Expert released PoC exploit code for critical Microsoft Word RCE flaw

Just 10% of Firms Can Resolve Cloud Threats in an Hour


welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller
and laura chavez
hello and welcome to the cyber ants podcast
this is zach fuller
joined by mike ratando and laura chavez
today we're going to take a dive
into web application penetration testing
that is something that there's a lot of people
asking about
and more and more demand for it out there
as people realize that web applications
like everything else
have lots of vulnerabilities
need to be assessed
and those vulnerabilities need to be remediated
and this is a continuous thing
so we'll talk about that more shortly
but mike first
you want to kick us off the news
he's a little old
but i think it's important
us restrict act
dean support empowers president to ban foreign tech
the white house and a bipartisan
group of twelve senators have endorsed the risk
information and communications technology
act on tuesday
legislation is designed to empower the us
ban foreign producers of electronics or software
in the national security
risk by the commerce department
we need huawei zte
kaspersky or TikTok
so let's see if something comes out of that
there will be nothing left
we won't have any technology
right arguably some of the
the best detection software in the world
for mallor is kaspersky ironically
she was that
because i write it also
yeah exactly
no wonder it works so well yeah
the tsa issues an emergency cyber security mandate
for the aviation science sector
tsa amended security directives
for airport and aircraft operators
citing persistent cybersecurity threats
against us infrastructure
including the aviation sector
wow an epiphany
the amendment will compel regulated entities
in the aviation sector
to develop plans for hardening resilience
their digital networks and infrastructure
in the face of ongoing cyber attack
required actions include segmenting network activity
to ensure it and operational technology systems
can continue operating
in one or the other is compromised
putting access controls around sensitive systems
implementing continuous
monitoring and detection for cyber security threats
and ensuring highly patching of vulnerable systems
i tell you guys
that is truly groundbreaking
and very forward thinking
we should be we should be patching
yeah i gotta give it to the government every time
they're just right ahead of the curve
we were supposed to be patching
yeah told us
network segmentation
my god i never thought of that
national cyber
strategy wants to redirect responsibility from users
to manufacturers
this is a big push by this administration
the strategy released thursday morning
which was last thursday
to create fundamental shifts across two areas
broadly moving responsible for insecure technology
from the users and small businesses
who are often the victims of cyber attacks
the manufacturer
and compelling more long term investment
in the way sex technology is designed
built and secured
the ultimate goal
to change status quo
where single persons momentary lapse in judgment
use of an outdated password
or aaron click a suspicious link
can have constructs across
multiple organizations or sectors
and negatively impact national and economic
and economic security
it's a nice goal
not realistic in any way
shape or form
responsibility must be placed on the stakeholders
most capable of taking action to prevent bad outcomes
not on the end users
that often bear the consequences of insecure software
nor open source developer of a component
that is integrated into commercial product
again where they go
not realistic
risk can never be completely eliminated
to do that the strategy pushes a series of actions
including beefing up regulatory standards around cyber
for sectors of critical infrastructure
dismantling the it infrastructure used by
hacking groups to carry out their malicious campaigns
i'm pushing to reshape laws that govern liability
for data loss
insecure software
and other products
are in forging greater partnerships with international
allies to defend the vision of free
open and safe internet around the world
voluntary cyber security performance goals
developed by cissa
and the industry for critical infrastructure last year
instead of voluntary standards that caused
things like multi factor authentication encryption
restricting access to high privileged credential
securing and segregating sensitive data
the potential
roadmap for some of the common cyber security practices
the government would like to be mandatory
across different industries
i'm assuming there's some good stuff in here
but in all honesty i'm not
i'm not feeling it
so anyways one thing that'll come out of it is probably
probably manufacturer forced multi factor
i think if anything it could be
and maybe it's forcing any sass
out there to do a multi factor or something like that
i don't know
but i mean you can't take
as long as humans are involved
there's gonna be error
it just is the way it is
always so um
and i just don't know how this is gonna be enforced
and i don't know if they're gonna have audits
and maybe they're gonna put more teeth
into things like nest
nest and hipaa
i don't know but
it'll be interesting to see what they come out of it
um and i wonder how much at my stifle innovation
and that's really my more concern
um excuse me
info stealer targets facebook business accounts
to land sensitive data
hackers have been using an advanced information stealer
to target facebook business accounts
by using google ads and fake
facebook profiles that promote games
adult content
and crack software
alert victims in the download and wishes files
it actually aims to steal sensitive information
including login data
cookies and business account informations
they usually pick urls for that
and lastly ai powered black mamba key logging
attack of aids
modern edr security group concept
ai driven cyberattack
that changes its code on the fly
and slip past
the latest automated security detection technology
demonstrated the potential
for creating undetectable malware
researchers from highest labs
demonstrated the poc attack
which they call black mamba
which exploits a large language module
or model technology
which chat gpt is based
it's synthesized a polymorphic keylog
our functionality on the fly
the attack is truly polymorphic
in that every time black mama executes
it resynthesizes its keylog
in capability
black mamba attack demonstrates how i can allow
the malware to dynamically modify
benign code at runtime
without any command and control infrastructure
allowing it to slip past
current automated security systems
that are tuned to look out for this type of behavior
to attacked attack
pretty scary stuff out there
one of the things you want to look at
i'm not gonna go to the store to do
but employees are feeding sensitive is data to chat gpt
raising security fears
for all those wondering
if you should have chat gpt in your environment
you really need to be careful
because employees are submitting sensitive
business data
and privacy protected information
into chat cbt
raising concerns that artificial intelligence services
could be incorporating the data into their models
and the information can be treated at a later date
if proper data security isn't in place
they have examples of doctors feeding reports
they have doctors
have all sorts of interesting stuff going on in there
so be careful
chat gpt four just came out
and with gpt four
you can input data to it in the form of spreadsheets
which is why is probably happening exactly
don't do that
don't don't give it
don't give it personal information
we're gonna break the whole thing
but you can
you can give it documents that
hold up the
twenty five thousand words now
and it'll answer questions
and analyze the data that you give it
it'll analyze imagery now
it's pretty impressive so yeah
be careful that's just really what it comes down to
there's a bunch of good headlines in this week
and one of the ones that i found interesting is that
jets ten percent of firms
can resolve cloud threats in an hour
there's another microsoft rce flaw
acer just had a breach
fortnite warns of new critical on our site
unauthenicated rce vulnerabilities
and vm had an issue
a big breach
backup issue
infrastructure issue
so check that stuff out if that impacts you
and over where we go to laurel's literal corner laurel
literal corner
welcome everybody
hope you've had a good week so far
today at laurels corner
i thought it would be valuable to talk about vpns
and many of you probably surf the web
doing your natally thing
and you'll see ads come up for various vpn technologies
protect yourself
disguise your source
ip is used to surf
well i wanted to kind of dispel some myths
and just talk about the realism
and some of the real reasons you may need vpn for
and what it was intended for in the first place
so let's talk about
do you really get an anonymity bonus by using a vpn
as you go on the internet
well sort of
but as you go to these websites
if you're visiting websites
if you're doing nefarious activities
i think i'll just say that right up front
is really kind of all
who is gonna really benefit
from some of these creator technologies
for the rest of us doing our normal stuff
you're gonna get a session cookie
and even if you're using a vpn
that session cookie is gonna be able to track you
and know when you visit the site
and so yes there are ip benefits in masking your ip
which in some cases
i don't know how that really helps us to do our normal
daily things
so again keep these things in mind
and then from a historical perspective
vpn or virtual private networking
the principle of building an extended network
really between offices
was so that we had access to corporate apps
like sharepoint and things like that
we could take the benefit of active directory
when old giant corporate organizations had
web application firewalls and things that we
as employees and as users
needed to abide by
so we needed to attach to the corporate network
in order to be bound by those filters
in the last couple years
technologies advanced
to the point where we can do that on the local host
so the vpn in itself is
i want to say
a kind of an aging idea for architecture at this point
because of how we're doing
micro subneting at the host at this point
so don't be fooled by some of the flashy um
advertisements that come up
and try to scare you into thinking
that everybody's tracking what you're doing
of course they are
all the websites that you frequently visit
are gonna track you
that's there's really no way to get around that
unless you deny all cookies the time
even the ones at the good cookie place
otherwise vpn is probably not going to buy you anything
other than getting on some form of radar
at the nsa level
for going to various places
trying to disguise your ip
i like to use the term
if you're not doing anything wrong
you have nothing really to hide
your session is gonna be protected to the web server
in old https
transport layer security one dot two fashion
and protect you from prying eyes already
so is the need to really disguise
where your location is all that necessary
hmm maybe maybe not
that'll leave that for you to decide
but don't be fooled by the advertising jargon
trying to scare you into thinking you need something
you probably don't
all right well
that was our laros corner
of a worthless tidbit
i'm just kidding
i don't know
i don't know
jake cut that out
okay zach what are we
what are we gonna talk about today zach
i had heard that
something about web application pen testing
up front here
right we are
we are gonna talk about that
and thank you for your vpn insight
i'm just wondering
before we dive into web app pen testing
what if i want to watch youtube in argentina
or netflix in costa rica
that's a pretty good reason to have a bpn
i stand corrected sir
i mean that
that would be a legitimate reason
to fake your source ip address
definitely regionable
regional regional
football and soccer probably so too
yeah yeah i bring that up because it's funny
somebody was talking about that the other day they what
they watch youtube and other countries to get a more uh
more a bigger world view i guess you could say
of what's being shown where
and i thought that was kind of an interesting use case
for it but i digress
so yeah let's
no that's a good point
honestly i think that's probably one of the best
use cases i've heard for vpn lately which is
one of the reasons i wanted to talk about it today
is got people asking
do i need to hide from big brother
you know no
yeah it's not gonna help you if you're doing bad stuff
you know what i mean
don't do bad stuff
don't yeah just don't do bad stuff
you got nothing to worry about
if people didn't do bad stuff
we wouldn't have the cybersecurity industry at all
well it's world would be perfect
and just a bunch of things that would be
you know great
technologists that do the right thing all the time
but we can't hope for a perfect world
but we can at least preach the matches to hey
don't do bad stuff
well we're making it better
we are millions of listeners at a time
right we are
with that let's
hey let's take a quick commercial break
and we'll be right back
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling books
cyber rants on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs for bin
market and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
this is silence sector com
and contact us today
and we're back with the cyber ants podcast here
and we're going to dive into web application
penetration testing
i also want to apologize
because we've been out the last couple weeks
that's my fault
but we are back and moving forward here
so if you've missed us
here we are
we're gonna have a good episode
so let's talk about web app pen testing
and start out with
and i think most people listening to this
will understand that
i mean the basics of penetration testing
what it is and so on
but to start out
very high level
who exactly should be doing penetration testing
because i know there's gray areas there
and well we use this software from this third party
should we penetration test it or
we built the software
but you know
nothing's really changed in the last two years
should we do another penetration test
what are your thoughts
um good question
to start out with
and first i just i
i want to go by ranting
that i don't like the term penetration or test
for these activities
i prefer the term technical assessment but less
neither here nor there
let's go with penetration test
you know i am a certified penetration tester
i know i i too have had the penetration in my title
in certificate form of what
what i like to do is
is think of
this is more of a scientific process right
that you would fall for
for anything
so take you know
to your questions app
you know how should you be doing this
there's all
what you're trying to do is
is understand what risk
exist to a set of technical assets
there's a multitude of ways to do that
there's automated tools that you can use
and then there's human input
and human driven tools and things that you can do
to try to understand that
so i think at a high level
you're trying to understand what risk exists
in any given set of technical components
whether they're code based
or hardware based or all of the above
right yeah it makes perfect sense
i mean what for those
for those people that are out there that are wondering
if they should have a penetration test
what are the
what are the key indicators
what are the key factors that you're going to look for
in terms of advising somebody on
yeah you should have a web application penetration test
versus no you probably don't need one
good question
i guess that's gonna depend on
on the amount of
of i guess technological exposure you personally
or your business has to the public internet of things
so if you're running a technology shop
and you've got your bare metal in your garage still
and you're working off a
you know local
cable provider internet
probably not
if you in that same case
if you're in your garage
but you've got fourteen servers and amazon
and another a couple in rack space
and you're trying to build code
that might be a good
a good time to try to understand what technical risk
that you're introducing into the business
by all this crazy web applications
you're throwing on the internet
so i think it
it depends on what your technical
again what your technical exposure is the
the the least amount
i guess the
the less amount of that that you have
that exposure you have the
the more reasonable
it say that i don't really need one of these
but it also
you know these types of tests transcend just like
a web application
or a public internet exposed technical asset
they can also include
you know internal penetration testing
as well as physical intrusion testing
as well to the building
so again it depends on what
where you're trying to identify risk
and then what your exposure is to the places where
the public has access to your technical assets
what i would say one of the differences too
is if you have like a website as a brochure site
there's no data being interchanged
that's pretty minimal risk
but you know if you've developed a web app or
something of that nature you definitely need it so
and mike speaking of that
what about from a compliance perspective
i mean what it
what industries
what compliance frameworks are going to say
you have to penetration test your web applications
anything that you've built
well pci is gonna require it
hippo nis does all suggested
sock to doesn't require it for say
but if you have committed to doing it
if you've identified that risk
then you have to have one for the test
so for the audit
so you know
it's still not being a hundred percent
you know mandatory anywhere
but it is you know
pci definitely is
i would recommend it for any framework just to be sure
you know if you have date on the web
yeah yeah cdis has a whole section on it
the final section is pen testing
yeah yes version
so the question of mandatory versus best practice
you know mandatory
really only pci is like
you have to have this to be pci quality
you know if you're doing x y and z
but other than that
you know everybody's like yeah
this is a really good idea
so i think it's the best way of putting it
yeah i mean my opinion
you might as well
find what the cybercriminals are gonna find
before they find it right
regardless of who you are
um we do get the question quite a bit though
from companies
that have all third party sas applications
right so they
they have not actually
built anything proprietary to their organization
and that's always a tough one
cause depends
you know certain
certain systems
like salesforce
you know they have the ability to do
or you can pen test your instance and all that
whereas other other companies
they're gonna
i mean you're gonna get in trouble for that
without their authorization plus
even if you find something
with a lot of sas platforms that you're subscribing to
it's not like
they're necessarily going to change anything for you
so even if you do point out vulnerabilities
so i just add that for those companies out there
using all third party tools
sure sometimes they do
sometimes they will fix things
that you find something serious enough if we've
like we've done in the past yeah
but by and large
if you tell salesforce there's a problem
they're gonna say yeah okay
yeah probably
so i think i think a good a good
the answer to this
do you need a pen test
you know if the framework requires it
i think it's a simple answer
i think the frequency is a topic we can get onto next
though right
what is a good tempo for this but
if you're doing vendor management
and you've sent your vendors a question
and that question doesn't include anything about
that they've done any kind of pin testing
and you're giving them a lot of your data
and you know
salesforce aside
right these
these organizations are going to have
budgets to implement decent security
and do bug bounties and things like that
it's the the kind of
the small medium
cheaper models that everybody tends to be using
where you send them a vendor management question
or they don't answer it
in that case
i think it's okay to partner with them
and maybe ask permission to get a pen test
especially if you're giving them data
and then what could be identified
as part of that exercise could
is going to benefit them as well
because if anything is found
and only is it gonna
help you protect your data with this third party vendor
but it's going to identify
a weakness in the third party vendor side
then they're hopefully going to resolve that
and become better for everybody
so you just want to make sure that
whoever is carrying the workout is doing it in a
an ethical way
and the business is approaching the vendor and standing
hey we got to do this
we don't want you to pay for it
but our requirements
you know we've done that lately right
believe it on
blame it on
the compliance framework to say hey
my compliance framework
to making me do this
not my fault
you know i remember when we first started sounds
after we met with someone from
one of the big five consulting companies
and they asked
you know who do you sell your side
who do you sell your cyber security services to
and they said
anybody with fifty grand
so there are those firms out there that
if you have an extra
you know ten grand laying around there
like oh yeah
you need a pen test
regardless of risk
so be careful when you're making that decision
definitely it looked
and so moving forward
let's talk about
let's talk more to those companies that
know they've
they have developed their own proprietary software
that might be something that they license
out as a sas model
or it might be software that they use
just to run their business
regardless how
what are you
what's your advice on frequency of pen test
how often should they get these done
and how to how
how can they determine that
so good question
what you have to understand
about these technical assessments
is that their point in time
so we're gonna look at something like a web application
and it's gonna be the scope of our assessment
we're gonna look at it over a period of time you know
and that's another thing to consider too
is that most pen tests are gonna last
you know forty
fifty hours
looking at these web applications as an example
and it you know
an advanced persistent threat
or a nation state sponsored threat
like fancy bearer as an example
they have endless amounts of money
and endless amounts of time
to focus on whatever they want
so i think it's poor to understand that
these are point in time
and so the moment that you change something
moment you update your jake
where your bootstrap these
these you know
these libraries
as part of your core software
you're changing
you're changing the application
and you're almost invalidating the test that occurred
so not at all invalidating a hundred percent of it
but major components
so i think that's why frameworks like pci and cis
will say after significant changes
or when major changes occur
is because you're looking at a set of static principles
and arguments inside of a web application
or another compute
when those things change
another test should occur
to validate the changes that you've done
didn't accidentally introduce
more risk to the environment
and that's really
the purpose of these technical assessments
is in that deployment methodology that you'll have
is to every time something changes
you execute one of these tests
validate that the change was good
and didn't in
introduce any additional risk
and we can move forward
and then the next time something happens that
that should be the frequency
is that realistic for everybody
of course not
yeah perfect world
with unlimited budgets and time
that would be great
but hey an internal team
yeah and tools and of course
yeah at least
at least do it once a year if at a bare minimum right
i mean and then i
you know especially for compliance
but for compliance yeah
that's a risky gamble though
to take a look at these technical assets
that you're depending on only once a year
in this kind of detailed way right
from an attacker perspective risky yeah
it was definitely
a lot of people out there living on the edge though
yeah like yeah
you know what i mean
let's talk about a little bit
about the difference between
scanning versus a penetration test
because i think there's a lot of confusion
in the market out there
and then dive
into the different types of penetration testing
the different
the different depths
you could say
so what are your thoughts on what delineates a scan
versus a true penetration test
goodness okay
so a penetration test or a technical assessment
is gonna follow up an industry accepted methodology
like like the miter attack methodology
for those that don't know
that's adversarial tactics
techniques and common knowledge framework
and what that is essential is
it's a globally accessible knowledge base
of adversary tactics and techniques
based on real world observations from testers
and scientists and engineers around the world
the attack knowledge is based
is used as a foundation for like
the development
of specific threat models and methodologies
in the private sector
government and then even in the cyber security
product and service community
like what we use for our penetration tests
this framework basically provides like
a comprehensive approach
and these tactic
techniques and procedures are what they call ttps
um are used by cyber adversaries daily
whether it's ransomware
or a fancy bear
or any other advanced persistent threat
or nation state sponsored group
they're gonna follow these same methodologies
so a technical assessment or pen test
is gonna follow a methodology of attack principles
entry espionage
electronic bypass principles
a vulnerability scan or a scan is one component
in that major methodology that makes up
a technical assessment or a pen test
so we call that phase one reconnaissance
in the minor attack framework
where we're using a vulnerability scanner
or a automated scanner
to look at web applications as an example
web application scanner
to give us some
information or reconnaissance on the target
it itself does not provide the total of the test
it is just barely a component of getting information
it can be i guess a good
a good example will be
if you take your card on the mechanic
and he plugs in the computer and tell
because you got a check engine light on
and he tells you oh it's
it's these two relays
it didn't fix the relays right
it didn't pull the relays out and change the relays
and check the relays again
it just simply told you that
these two relays are possibly bad
so that is sort of a
kind of a mechanical example
of looking at the difference between just a scan
to an actual full blown penetration test
and what types of things would be missed potentially
in a scan that you would get in a penetration test
oh well lots of things
as an example i'll talk
talk about some of the
the common things that that
that we found recently that are not identified with a
like a world class web application scan
i'm not talking about
something you're gonna get for free
i'm talking something that's like a paid subscription
like a rapid seven qualice or qualish product right
something major
number one they're not going to find data leaks
that are component of your like source code management
so if you're using get and you're
stashing your private keys in there on accident
or you're like new to this and you haven't really
you like the idea of automated code management
but you don't really know how to do it
well there's a lot of that out there
the scanners gonna
just gonna look at the web application itself and say
oh yeah there's these libraries right
a date they're using tls one
maybe you'll get lucky
and see that there are some database access points
but one example here is the source code management
through the proxy
which is a separate application
we'll be able to
which is where the actual technical assessment comes in
as we look at the recon as part of our checklist
and then we actually start looking
and stepping through the web application itself
and watching where these post get calls come from
right how contents being delivered to the site
when we're doing that
we can identify
that there's a source code manager involved
like a get or a material as an example
if those files aren't locked down we can
we can essentially do a clone to the local
to the local file system
make the changes we want
and then do a commit
push back up
and then the websites gonna change automatically for us
that's a good example of what
something that a scan is not gonna find
um let me think of another one here
i think that was one
i'll try to be sure
here i apologize
that another one is an uploader vulnerability
so if you're not familiar with some of the the
the stuff that we get to do here and
and that i get to participate in
we've created a um
an upload bypass with an image
and so in this case
is a great example where a scanner is going to
not even notice that there's an upload feature
sometimes as part of a web application
it's going to take the human
stepping through the web applications interface
to understand that there's an uploader feature
and to and then
and then to use that uploader feature
sometimes there's an api
and we'll see that with the scan
but normally
they're using something else or something baked in
and we'll step through
and find that there's an uploader there
and then we'll use our
our attack poc for this
this uploader bypass
so that's another good example of a place
of vulnerability that a scanner is not going to find
awesome well there
there's a lot of
for people that are
and this this episode's designed for
people that are kind of new to that web app
pen testing such
so there a lot of times people are
have different definitions of the
different types of testing
so you hear out there black box
gray box and white box type testing
and sometimes people will come
and they think they're talking about one method
when they're really talking another
do you want to
you think it makes sense to kind of break down each one
and then you know
lay them out for people so they understand what's what
yeah sure zach
so black box
i'll start there
that's another way to think of this
is unauthenticated
so we have no accounts no access
this is supposedly
you know the method that
you know your average script kid
he's gonna come across the website
or you get picked in a raid on one of the forums
and they're just gonna start checking
a look at what your technologies you own
you know queer and i can
things like that
doing some basic ocean on you
trying to understand what vulnerability surface exists
in the technologies that they have access to
on the public internet of things
so there's no authentication
there's simply
we're you know
as an ethical hacker
we're going to approach this from the aspect of a
you've given us a scope or authorized
we've got an msa and a statement of work
all signed of course
right um but we're gonna
we're gonna look at the set of targets
that's really all we're giving
we call it a black box plus targets
because there's no authentication involved
we're just simply given like
hey these are our ips
and this is our dns
and then from there
we need to dig in and understand what exists
to someone that has the same access and the same tools
and techniques on the internet of things
so that's really a black box
they're not dedicated
gives you a good sight picture
of what the internet community
of cybercriminals is gonna see on you
and again point in time
the next step really is the gray box
this is where you're given
either partial access or additional information to have
to have access to the
the web application
in this case
we're talking about web applications
so this might
be being able to sign up for a guest account
as an example
you can kind of turn this into a black box
into a gray box
by fulfilling
in analyzing the registration process
of the web application
and by creating yourself a
you know read only guest account
you're technically
you know in a gray box
in some cases
where these are not self registered accounts
the client will need to set up the account
and that's another form of the gray box
so gray box has partial authentication
i guess and
and and more knowledge and understanding
about what's happening on the back end
these sometimes include
architectural diagrams and things like that
to kind of help the ethical assessor
go through and better understand what
what vulnerability surface there is
so that we can understand
what risk is in place for these
better understand
so it's a deeper look than the black box right
you've got one layer deeper now
and then the white box is essentially the
having full access
so in the case of a web application
this could be having several user accounts of
like a user
maybe like a supervisor account
and maybe an administrator account in a realm
to try to understand what
what components of the role based access control system
is an example
can these users
function within what their use case should be right
can i as a user
break out and do supervisory tasks
or as i can a supervisor
break out and do administrator tasks
or worse can i as a user
break into the administrator realm
and do administrator tasks on multiple
other client files right
and so that's really
i think in a web application
the advantage of a white box is that you
you understand you know
how the database is connected to the web application
you typically going to get some of these diagrams
or you're going to get a demo
to tell the assessor
better understand how the architect
architecture is in place
and then that assessment is going to give you
better understanding of
if an attacker went from a black box scenario
and got partial access
could they elevate themselves in a gray box paradigm
to a white box
um you you know
a perfect scenario
and then once they do have a white box scenario
can they pivot
can they persist their access
can they create new accounts
and so there's
there's a lot more that you understand
if the the attacker was to get past that first
piece of protection that you have
yeah and to add to that i
i hear a lot
you know in the industry
a lot of people refer to white boxes having everything
like even anything goes
you can get everything you want from the developer
everything's readily available for you
the even the code base
just like all
all the way through
and i hear people taking that approach
you know a lot of times the
for a lot of companies
it seems that the most value is out of
tends to be out of the black box
and gray box approaches
as opposed to having
all the information about the application
at your fingertips
because that's
i mean i guess for insider threats large
large organizations
that have the capital to be able to do that it's great
but there's always a
diminishing rate of return on your investment
right with pen testing and what's
what's going to be realistic if you you know
if you have five million dollars to do a pen test
that's gonna be a very different test
than a five thousand dollar test rate
or ten thousand
oh yeah well
the source codes
the best way
you know i mean
to look at the
the vulnerabilities that exist
and in any given application
the problem is
is that there's usually multiple
applications that are gonna make up this
you're not just gonna
you can't just look at the source code
you have to do a full risk assessment on all of it
source code included
to really understand fully
and again like you said
it's very expensive
let's touch a little bit switching gears on
automated versus manual penetration testing
what that actually means
and you know how
how we would really define what is a truly
you know a manual pen test versus an automated pen test
because i know there's a lot of
kind of gray area and confusion in that that topic
yeah so there's
there's a lot of automation that
that is that
it can help you right it
it's not a replacement
for an actual technical assessment with a
with like human expertise
because you know
maybe with chat gpt for integration in the future
your automation might be better
but here's a great example
there there are
i won't name them
but there are big companies out there
that just have a subscription portal
and you go in and you put money in your portal
and you check out yourself a web application pin test
you never talk to a human
you never talk to anybody
really you just
you give it the scope
you set a date to start
and the money gets siphoned out of the account
and then a couple weeks you get a report
that has a bunch of stuff for you to do
what i don't like about these
these automated scans is that there's a
i don't really know what to call it
there's a sickness
i guess i'll say a mental sickness
in this industry
about being a technical assessor
a penetration tester
or conducting a pen test
and being able to say that we didn't find anything
that was a relevant risk to your organization
you did a great job
it seems like a lot of automation has to pull crap
up to the report
that are a lot of false positives
that then the technical teams have to fight through
or there there
what we refer to as trivial misconfigurations were
now there's
they think because the
the automated scan flag
it is a red or whatever color
they're having to dedicate manpower
resources out of other priorities to fix these things
that are really what i like to call a nothing burger
right i mean
they shouldn't spend a lot of time focusing on poodle
and the happy birthday attack
exactly i'm happy to talk about those
but that drives me crazy
and so that's an example of
an automated test
is going to give you every misconfiguration it finds
it's not going to determine
what's risky to your architecture and what's not
and i think that's the big
that's the big difference here
is that an automated technology
has an understanding of what
weaknesses exist in common core components
they don't understand how you've
put that core component into your architecture
so they're making assumptions
that you're putting it out
on the public internet
for everybody to go play with
and that you don't have web application firewalls
and cloud flare
and you know three
at your architecture
and robotics
access controls
all protecting this device
they're making a huge assumption
just because they can query the device
and they see a weakness
so the human element
is going to do something
like where a scanner is gonna say oh
this log in field accepts escape characters
sequel injection
there's sql injection right here
it's gonna flag you for that
and what what you could be doing is
what most are doing is it
who cares about the form field
they're picking up that
they're picking up that response in json
and they're looking for a specific syntax
and when they don't get that syntax
they're for foreign
but they're doing on the inside
so they're not pushing that back out to the human
to see that
you just put some in the field
and nothing happens
the scanner does that
i think oh i could put in double quotes
i've got sql injection
it's gonna call you on something like that
where humans actually gonna go and validate
that their indeed is
sql injection
to select and do other sql things for tables
if i can't do that
it's a false positive
there's no read
that's what you paid
that's what you're paying for
i think is to really understand what
what that risk is
and not have to get a paper
and then make a whole bunch of assumptions
based on a bunch of garbage
that you got out of a scan
sorry that was a rant
no it's a good
it's a good point you know
so if you happen to be one of those rare individuals
that has more than twenty four hours in a day then yeah
spend all the time you need and save a buck right but
but for the rest of us commoners
right that let's
let's take a little bit more time
do it right and get a
get something
that is a manual approach
granted know that every pentester in the world
is going to use automation of some kind
right if i mean
shouldn't say every pen tester in the world there
i'm sure there's somebody out there
that still basically does everything manually
but i mean that you're
there is no manual
i mean even if you're typing in the command line that
that's still
you're using
you're using
you know zsh or bash or what
i mean you're still using an automation to help you
you're not going in and making your own
icmp configuration tool to do the job
you know what i mean
so absolutely
we're gonna use automation to our advantage
to help us get better data
but we're not gonna leave the robots to do the job
without any human involvement
yeah yeah well said
well hey in two minutes or less
let's talk about risks real quick
what kind of risks will organizations face
and what that should they do about them
when it comes to getting a pen test
i know a lot of people
their first one
they think hey
they could take down our whole business
so is there truth to that
yeah you know
accidents happen with
with automation
sometimes you know
sometimes a script
you don't expect a response
you know again
all these architectures are different
so yes there's
there's certainly
there's only a possibility to break something
it's not common
i think i think the
the biggest thing
is is is the unknown unknown
and i think that's probably
the other thing
is that yes we're
you know there's a potential something's gonna break
but now i'm gonna notice
risks that i didn't previously know before
so that can be i guess
you know scary
almost like
you know watching one of these horror movies right
like what's gonna come out
what's gonna come out but
but i think it's
it should be comforting to know that
a professional firm
is not going to throw rocks that can break your windows
to prove that you've got glass windows
and i think that's a bad practice
for a lot of professional firms
so if you don't
if they don't consult with you first
and talk about the scope
and a real human call
and you're setting the stuff up
who knows what you're getting into
but a professional firm should demonstrate
that the vulnerability exists
and that an exploit capability exists
without deploying the exploit in a way
that's going to destroy
or cause harm to your technologies
there's a safe way to do this
and you can
you can tell by a lot of the amateurs
that are breaking things
that's the difference in the firms
and the professional expertise
that you're going to get out there
so the robots aren't going to care
they're going to do whatever they want
so you're just cross your fingers and cross your heart
and hope to die for that
less or cheaper organizations
or again might break something
higher chance of that
professional firms gonna
gonna know how to understand the technical risk
without any
or a very small chance of harm to your systems
one of the things you have to consider too
is we've come across some firms
that go for the lowest bidder on the pen test
and that's not always the best idea
if someone's charging you fifteen hundred dollars
for a pen test
there's probably a reason for it
so be wise that's
i think that's one of the risks that's out there
is be wise in the vendor that you choose
definitely if you're in a regulated industry
recommendation would be to stick with us pen testers
throw that out there
i'm not saying
i'm not saying there's not great pentesting talent
all over the world but
the recall
yeah that's
that's a good thing to bring up
zach real quick
just as a warning
there are american united states based pen test firms
that outsource their human element to other countries
like turkey and india and fancy bear
so be careful
make sure that you're
especially if you're regulated
again if you're
if you know if you're
if you're hobo joe's crab shack
do whatever you want
but if you're regulated industry
yeah make sure that your
your human testers are are from
are from a friendly country
yeah yeah think
think about the legal recourse and all that
you know and what
you know what's going on but
well excellent hey
i hope everybody listening got something out of this
hopefully this is helpful for you if you're navigating
web application penetration test for the first time
mike laro any final words of wisdom before we jump off
mmm yeah your pen test should have
your pen tester should be able to give you
a one hour consult after the test
talk about what risk was identified
and then look through your reports
to talk about all the trivial misconfigurations that
like an automated scan found
and why they weren't a real risk to your organization
if they can't talk about the birthday attacks
or the sweet thirty two
or why there's no click jacking on your
your website
even though the scanner found it
you should probably look for another firm
are you inviting people to come
visit you in laros corner
you can always come to my corner and talk
penetration testing
aka technical assessments
yes chuckles
alright well hey
thanks so much for joining us today
and we will catch you on the next episode
be sure to share your this subscribe
do all the good stuff
let your friends know
we want to spread this information
get it out to the world
so that we can have a more secure
computing environment for everybody
great to see you
we'll talk to you soon
pick up your copy
of the cyber ants book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at silentsector com
join us next time
for another edition of the cyber rants podcast