I will represent multiple case studies to convey the message that if you think limited, you will be limited. Bug bounty approach has degraded the quality of penetration testing, for both the customers as well as the practitioners. It is hard for the customer to differentiate between a good penetration testing and a quick and dirty top-10 or top-25 approach.
https://nsconclave.net-square.com/pentesters-mindset.html
4. I'll discusses multiple case studies to convey the
message that if you think limited, you will be
limited.
The Same
Old
Thinking
The Same
Old
Results
5. The survey and statistic of the ethical hacker community
- hackerone 2019
6. The 2019 Edition of the Inside the Mind of a Hacker Report
- bugcrowd 2019
7. The survey and statistic of the ethical hacker community
- hackerone 2019
8. According to the 2019 Edition of the Inside the Mind of a Hacker
Report [ largest attack surface ] - bugcrowd
9. According to a survey conducted by Hacker One in
2019 "The survey and statistic of the ethical hacker
community", more than 50% of Bug Bounty hunters
are focusing on XSS and SQL Injection only.
https://www.hackerone.com/sites/default/files/2019-02/the-2019-hacker-report_3.pdf
10. When asked about their favourite attack vector, technique or
method, over 38% of hackers surveyed said they prefer
searching for cross-site scripting (XSS) vulnerabilities.
That’s up from just 28% last year, and puts XSS significantly
ahead of all other attack vector preferences.
SQL injection placed second at 13.5%, while fuzzing, business
logic, and information gathering rounded out the top five.
In 2017, neither business logic nor information gathering
placed in the top 10 last year.
https://www.hackerone.com/sites/default/files/2019-02/the-2019-hacker-report_3.pdf
11.
12. What happened with PenTester’s Mindset ?
Choose your organization’s random web/mobile app VAPT
report and you will find one common thing in the report.
Guess what ?
"The most common thing is the
well-known vulnerabilities."
SQL Injection, XSS, CSRF, IDOR, Missing Security Headers …
13. Most of the analyst's testing mechanism or mindset towards
testing, the basic strategy is to intercept HTTP request and
inject single quotes (‘), double quotes (“), greater than sign
(>) and less than sign (<) to identify vulnerabilities.
While injecting those special characters, the mind of an
analyst has a thought process that eventually leads to finding
such as XSS and SQL Injection only ;)
14. backtick (`)
pipe (|)
Null character (%00)
Zalgo text ( N̯̱ ̣͇̖̦̦ ̣
ͥͮͩͪ̐͑͂̈̅
ͦ͋̆̔͆̀̆̀̚̚
̕ )
multibyte character ( ﷽#$%&, )
Zero Width Space U+200B (ZWSP)
Carriage Return (ASCII 13), Line Feed (ASCII 10)
or different varied characters ..
Why not !!
15. According to Common Weakness Enumeration
(CWE List version 3.4) the total number of software
weaknesses is 808.
Why not !!
16. HTTP Request
1.Which part of the request is vulnerable?
2.Which vulnerability will affect the application and
on which part?
22. 1. Server to Server communication
parameter -> XML
23. Possible Vulnerability
1.XML Attacks
à XML Injection
à XSLT Injection [ If XSLT involved ]
à XInclude Attack
à XXE
à XPATH Injection [ If XPATH Query involved ]
à XSS through <![CDATA[ ]]>
à Billion laughs attack or XML Bomb [DoS]
à Quadratic Blowup Attack
à SSRF using XML processing
à XML Schema Attacks
example. XML Schema Poisoning attack
25. Possible Vulnerability
1. Log Entry in SQL Database
à Blind Out of Band SQL Injection
2. Log Entry in Linux OS
à Blind Out of Band OS Command Injection
27. Possible Vulnerability
1. LDAP Authentication
à LDAP Injection
2. JSON Web Token (JWT)
à Weak Symmetric Keys
à Incorrect Composition of Encryption and Signature
à Plaintext Leakage through Analysis of Ciphertext
Length
à Insecure Use of Elliptic Curve Encryption
à Multiplicity of JSON Encodings
à Substitution Attacks
à Cross-JWT Confusion
30. HTTP Headers
CVE-2019-5418 - File Content
Disclosure on Rails
CVE-2014-6271 - Shellshock, also
known as Bashdoor
31. Same question Again
1.Which part of the request is vulnerable?
2.Which vulnerability will affect the application and
on which part?
32. Root cause analysis
Following factors are responsible …
1. Training Institutes
2. Our Old Mindset
3. Quality compromised by Security firms and
App vendors
40. Just imagine: as a child, you were taught that the
blue circle is larger than the red. 🧒 🔵 > 🔴
If you say it enough times, you convince yourself
that is the truth. ⏱ 📢
If you're told the lie enough times, it becomes part
of your reality. 💯
41. And if enough people are taught the lie that the blue
circle is larger than the red, now, it becomes part of the
culture. 🧑🤝🧑🧑🤝🧑🧑🤝🧑🧑🤝🧑
And if that culture then passes that misinformation
along to the next generation , well now it becomes
tradition.
- James Wildman
42. alert(1). ≠ XSS
‘ or ‘1’=‘1 ≠ SQL Injection
Taught in trainings, you convince yourself, you're told
the lie enough times, enough people are taught the lie
through blogs and writeups. Now you passes that
misinformation along to the next generation.
44. "security analyst or a penetration tester only
focuses on well-known vulnerabilities.”
Let us understand the habitual behaviors or
patterns of practice.
45.
46.
47.
48. After few days or months.. it will print in our
unconscious mind.
It will passively force you to take same action
without your active observation.
51. Contrasting lifestyles
It’s out of
scopeDo a comprehensive
PT…. But in 3 days time
No commercial
tools. Budget is
limited
It’s a Prod
environment. Not
Exploits allowed !
You can’t use
Linux tool, we are
using windows
Vendor doesn’t
support that
configuration
Nobody else could
figure that out
You can’t explain
the risk to “The
Business”
It’s legacy system
It’s “too critical to
patch”
Provide RCA,
Why you not found
in previous VAPT
It’s managed by
a third party
It’s an
internal
system
It’s handled in
the Cloud
It’s an interim solution
It’s XYZ compliant
It’s encrypted
communication
It’s behind the
firewall
It’s only a
pilot/proof of
concept