Penetration Testing

You, Mon Aug 05 2024 • Security InfoSec PenTest

Introduction

Penetration testing helps ensure the security of systems by identifying vulnerabilities through simulated attacks (Antunes & Vieira, 2014). This paper will cover the basics of penetration testing (sometimes called “pentesting” (Wilhelm, 2013, p. 1)), the stages of testing, various methods for testing, and how penetration testing can be applied to specific systems such as web applications and firewalls.

Penetration Testing

Testing Stages

In “Professional Penetration Testing. Creating and Learning in a Hacking Lab”, Wilhelm (2013) references two primary frameworks for penetration tests- the Information System Security Assessment Framework (ISSAF) and the Open Source Security Testing Methodology Manual (OSSTMM). Wilhelm (2013) notes that the ISSAF is advantageous in the fact that it provides context around how tools can be applied to specific tasks; however, he references a lack of updates as a disadvantage for the framework. The OSSTMM does not have this problem as it is consistently maintained, but its primary function is to serve as an auditing methodology (Wilhelm, 2013).

The ISSAF is composed of the following three phases: Planning/Preparation, Assessment, and Reporting/Clean-up/Destruction of Artifacts (OISSG, 2006). Wilhelm (2013) defines the planning and preparation phase according to the ISSAF framework but argues that it is useless and suggests that testers should use a more thorough approach to planning. Despite not recommending the planning and preparation phase, Wilhelm (2013) does recommend the assessment phase because of how detailed it is. This phase includes multiple assessments for network security, host security, application security, database security, and social engineering (OISSG, 2006). The last phase includes guidelines for how written reports should be structured and general guidance on testing hygiene (OISSG, 2006).

The OSSTM breaks the testing process down into four steps, known as the “Four Point Process (4PP)” (ISECOM, 2010, p. 43). The first step is called induction and requires penetration testers to establish facts about both the target and the target’s environment (ISECOM, 2010). ISECOM (2010) claims that anomalies can be detected by identifying areas where the target does not appear to be influenced by its environment. The second step is called inquest and requires the penetration tester to investigate “emanations from the target” (ISECOM, 2010, p. 43). The third step is called interaction and requires the tester to stimulate the target and observe how the target responds (ISECOM, 2010). The fourth and final step is called intervention and requires the tester to manipulate the target's environmental resources (ISECOM, 2010).

Testing Methods

Penetration testing can often be performed either manually or automatically; however, researchers have found evidence that suggests automated penetration testing tools often fall short of expectations due to the prevalence of false positives and the lack of broad coverage (Antunes & Vieira, 2014). On the other hand, manually testing thousands of potential system vulnerabilities may not be an effective use of resources (Antunes & Vieira, 2014). Antunes and Vieira (2014) suggest that the solution to this problem is for testers to develop a thorough understanding of the capabilities and limitations of their tools (in addition to multiple suggestions for the industry to improve automated penetration testing tools).

Antunes and Vieira (2014) broadly classify penetration tests into one of the following three categories: white-box testing, black-box testing, or gray-box testing. White-box testing is defined as some sort of internal static code review (Antunes & Vieira, 2014). This code review can take several forms, such as a manual peer review of the source code or even an automated review (Antunes & Vieira, 2014). Black-box testing will analyze the system from an external perspective while the program is running (Antunes & Vieira, 2014). These tests will ideally have conditions that are created before program development even begins (Antunes & Vieira, 2014). According to Antunes and Vieira (2014), gray-box testing is an analysis of internal code as it relates to potential external inputs.

Penetration Testing Applications

Web applications have several different attack vectors that should be secured against. Wilhelm (2013) and Antunes and Vieira (2014) all mention SQL injection as a penetration testing technique for web services. SQL injection is defined by the National Institute of Standards and Technology (NIST) as “a technique used for manipulating Web services that send SQL queries to a RDBMS to alter, insert, or delete data in a database” (Singhal et al., 2007, p. A-10).

Wilhelm (2013) also discusses cross-site scripting (XSS) as a technique where requests are “transparently rerouted to an attacker-controlled Web service, most often one that performs malicious operations” (Singhal et al., 2007, p. A-11). Other vulnerabilities discussed by Wilhelm (2013) include misconfigured authentication methods, insecure data references, misconfigured security, exposed sensitive data, and unvalidated redirects/forwards.

Antunes and Vieira (2014) discuss XPath injection as another injection technique that penetration testers should be aware of. NIST states that XPath is “used to define the parts of an XML document, using path expressions” (Singhal et al., 2007, p. C-6) and that “XML injection can occur when user input is passed directly into an XML document or stream” (Singhal et al., 2007, p. A-11).

NIST also identifies several vulnerabilities that web services are potentially exposed to (Singhal et al., 2007). In “Guide to Secure Web Services,” Singhal et al. (2007) specifically mention the following topics as some of the issues web services may be vulnerable to: transaction repudiation, credential issuance, trojan horses, compromised services, and the exploitation of covert channels.

According to NIST, firewalls are used to protect networks within a specified perimeter but are ineffective in protecting web services, which are permitted to pass through most firewalls over HTTP (Singhal et al., 2007). Firewalls are also ineffective at protecting against threats that originate from inside the network that is being protected (OISSG, 2006). Despite these two factors, firewalls are necessary to maintain the security of enabling technologies for web services (Singhal et al., 2007). Additionally, NIST does mention a sort of firewall specifically meant for web applications that can guard against threats such as SQL injection (Singhal et al., 2007).

Conclusion

Penetration testing is a crucial tool for proactively identifying potential vulnerabilities in information systems. Several frameworks and philosophies exist for testers to follow. Additionally, there are plenty of resources that comprehensively cover what kinds of threats penetration testers could potentially exploit.

References

Antunes, N., & Vieira, M. (2014). Penetration Testing for Web Services. Computer (Long Beach, Calif.), 47(2), 30–36. https://doi.org/10.1109/MC.2013.409

Wilhelm, T. (2013). Professional penetration testing. Creating and learning in a hacking lab (M. Neely, Ed.; 2nd ed.). Syngress, an imprint of Elsevier.

OISSG. (2006). Information System Security Assessment Framework (ISSAF): Draft 0.2.1B. Retrieved August 10, 2024, from https://web.archive.org/web/20120825180425/https://oissg.org/files/issaf0.2.1B.pdf

ISECOM. (2010). The Open Source Security Testing Methodology Manual. Retrieved August 11, 2024, from https://www.isecom.org/OSSTMM.3.pdf

Singhal, A., Winograd, T., & Scarfone, K. A. (2007). Guide to secure web services. https://doi.org/10.6028/nist.sp.800-95