Stories from the Pentesting Trenches
This may come as a shock, but hacking in real life is nothing like the movies or tv shows. There aren’t blinking firewall boxes that show a completion percentage for your hacking progress. There aren’t fancy, 3-D visual displays of hex data. Two people never type on the same keyboard while windows flash rapidly on and off the screen. And a special light doesn't turn deep in the computer's hardware when malware activates.
In reality, penetration testing is mostly patient research. Very patient research. For every moment of excitement (in this case, “excitement” meaning the two dimensional, black and white text on the screen changes), there are hours and hours of research, coding, and troubleshooting.
Thus, we were a little apprehensive when our manager asked to sit in on the start of a penetration test one day to learn more about how it was done. We assumed it would take hours to find anything interesting, at which point, our manager would either be asleep in his chair or have moved on to other, more exciting projects, occasionally glancing back at us with a mixture of pity and amusement.
This time, though, we got lucky.
We started testing at the login screen. After testing a few default credentials, we noticed that the error message “Invalid credentials” displayed on the login form was also in the URL as a query parameter. We immediately changed the parameter in the URL to “Testing error message injection” and watched as our message was displayed in big red letters. As we explained the possible cross site scripting ramifications to our manager, we started testing HTML tags, such as “Invalid <a href=”https://craftcompliance.com”>credentials</a>” and script blocks. Sure enough, everything executed as expected.
Then, it was time for a real exploit. We updated the “Invalid credentials” error message with a few lines of JavaScript that changed the login form’s target to a server that we controlled. On the server, we programmed a quick endpoint that would simply log all incoming requests to a log file and send the user a redirect to the original login page with the traditional, non-injected “Invalid credentials” error message. Thus, we had a working reflected cross site scripting attack that utilized social engineering to capture user credentials to the application and then redirect the user to the normal error to hide our attack. And all within the first hour of the test. Needless to say, our manager was still awake… and very excited.
At that point, we called our client directly and explained the finding. A few days later, they asked us to retest the login page to validate that their update fixed the vulnerability. Security crisis averted.
Our manager went on to his other duties with a new found respect for ethical hacking and our engineers. Coincidentally, we continued the test for two more weeks after that, spending hours and hours poring over web requests and responses, JavaScript code, and documentation without finding any additional significant issues.
Moral of the story: never rely on user controllable URL parameters for error messages and sometimes exciting things happen - even when your manager is looking over your shoulder.
Security News
Kroll’s research team analyzed data breaches in 2020 and found that industries that were previously less frequently targeted have caught up. In the food and beverage industry, breach notifications rose by 1300% compared to 2019, while notifications in the construction industry rose by 800%. Other industries that saw massive spikes in notifications were utilities, entertainment, agriculture, and recreation.
Moreover, the data breach numbers across all industries continue to rise, with more data breaches in the past few weeks:
Carnival Corp, a cruise ship operator, reported that hackers gained access to their systems back in March, 2021. Affected data includes personal details of guests and employees, according to their report. The company also suffered a ransomware attack last year, but no indication so far whether or not the attacks are linked.
CVS exposed over a billion records of health related queries and events. Identified by security researchers, the data includes session ID’s, device data, and health inquiry data that could potentially be used to cross reference and identify specific user inquiries.
EA was breached, allowing hackers to get away with the source code for the new FIFA 2021 game. While no personal or player data was affected, according to reports, this is not the first time that hackers have managed to capture source code for upcoming video games.
A tech contractor with the Department of Energy and National Nuclear Security Administration reported a data breach that occurred last month in which hackers exfiltrated undisclosed documents. Little information has been shared on the nature of the breached documents, but the NNSA helps manage the safety of the United States’ nuclear stockpile.
Sometimes, though, data breaches are not a result of malicious action and simply a common, user mistake. Onewheel regretfully reported that when a new customer asked for the link to register his skateboard’s warranty, the support analyst instead emailed the inquiring customer a link to the customer’s responses to the registration form, a google sheet that included customer names, contact details, and home addresses.