In Louisville, Kentucky next month at Derbycon, DanielCrowley and I will be giving our presentation Vulnerability Spidey Sense - Demystifying PenTesting Intuition. The point of the talk will be that littlemistakes and small vulnerabilities in a web application can give pointers to anattacker about where to focus their efforts. As penetration testers, we aren't fortunate enough to have an unlimitedamount of time to review the security of an application, yet maliciousattackers have as much time as they need to exploit a security hole. By paying attention to detail and focusingour efforts on the places that vulnerabilities are most likely to be found, wecan attempt to close the gap between PenTester and attacker.
Here are some examples that might indicate furthervulnerabilities in an application.
Weak passwordpolicies and security questions
Allowing users to choose weak passwords can allow an easybrute-forcing opportunity for an attacker; and weak security questions, such asprompting for the user's birthday, can be discovered through basicinvestigation into a user through social media. However, bad policies such as these can also indicate that the developerof an application does not understand some security best practices, and couldlead to other findings deeper in an application.
Test pages anddefault content
Before moving an application over to production, all testpages and default content (the phpinfo page, for example) should be removedfrom the web server. Default pages canbe used to reconnaissance an application, and in some cases even provideadditional functionality that may be useful to an attacker. Test pages that were created during the developmentprocess, even if their function doesn't prove useful to an attacker, may not behelp to the same level of scrutiny from a security perspective that otherportions of the application are held, providing a useful gap in theapplications security for an attacker to exploit. Finding these items may also indicate thatthere is additional content to be found if examined carefully.
Seeing an application that iswritten in ASP, or is running on IIS 5 or 6 should set off immediate warningbells during a penetration test. Seeingold technology that is still in use can be a strong indication that anapplication is vulnerable to old or well-known vulnerabilities. Experience or a little research can help youfind well documented vulnerabilities and instructions for how to exploit them.
By watching for indicators such asthese, a PenTester can more easily prioritize their tests and focus on the aspectsof a system that are most vulnerable. Daniel and I will be discussing these,and many other warning signs that an application is ripe for an attack, thisyear at Derbycon.