I occasionally see the terms Vulnerability Assessment and Penetration Test used interchangeably, or worse, phrases such as “Automated Penetration Test” – something that really pains me, as there are very distinct types of assessment. In this article I’d like to show the distinctions between the different types of assessment. Setting aside any argument of specific terminology, I aim to explain the different approaches that can be taken and the aims of each – regardless of what you choose to call them. I aim to assist companies engage with their security assessment providers to ensure that the service they’re getting is what they are expecting and so that they are aware of the alternatives.
“Which SSL ciphers should I disable?”
A client recently gave me a list of their supported ciphers and asked me which SSL ciphers they should disable – effectively looking for the most secure SSL ciphers they can use. Instead of the fast answer of “disable the insecure ones”, I thought I’d try and write up something useful.
So here’s a handy reference guide I’m working on. This has been time consuming to develop and no doubt will be added to over time. This isn’t intended to be read from start-to-finish, but is more of a handy SSL/TLS issue cheat-sheet.
This is an advanced Cross-site Scripting (XSS) post, if you’re new to XSS maybe try this one first: What is Cross-site Scripting?
During Penetration Tests I often see testers utilising Cross-site Scripting attacks, popping an alert(1) and stopping there; additionally looking through the payloads used by other testers I often find one area missing. So if you’re a tester, think of the payloads that you deploy and think how you are testing for the type of vulnerability described below:
This is an advanced SQL Injection (SQLi) post, if you’re new to SQLi maybe try this one first: Basics and Defence
Recently I had a fairly slow Time-Based SQL injection vulnerability, meaning that I could only pull a single character at a time with SQLmap and each character took around 10 seconds to retrieve. An alternative approach in this situation is to use out-of-band retrieval. This is a concept that can be used when exploiting lots of vulnerabilities such as SQL Injection, Command Injection, Cross-site Scripting and XML External Entity Injection.
The idea is fairly simple, instead of capturing the data you would like to retrieve and extracting it through Boolean-logic you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.