Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/5/2012
04:29 PM
50%
50%

Tech Insight: The Most Common Vulnerabilities Found By Penetration Tests

Professional pen testers share which holes they find the most in clients' networks

Headlines of hacked networks and successful attack campaigns, such as the recent Anonymous attack against the top 100 universities, regularly leave organizations wondering how the bad guys got in and why it seems so easy. What common mistakes are being made in these different organizations that are being attacked? What are some of the top vulnerabilities that are being exploited to get in?

We asked a variety of penetration testers -- some working in university and business environments, and others who are full-time security consultants performing penetration tests every week for clients of all types -- which main flaws they are typically able to exploit.

Nearly every pen tester we talked to had a similar list of vulnerabilities. At the top of every list was SQL injection, cross site scripting (XSS), or insecure websites, in general. Surprising? Not really. Often, the entry method of choice we hear about from Anonymous' exploits is through SQL injection. Once the Web server and underlying database server have been compromised, it's relatively easy to exploit those servers' trust relationships and stored passwords to hop to other juicy targets.

Christian von Kleist, senior security analyst at Include Security, said that Web servers are typically what he notices first during an external pen test. "Many of my pen-testing engagements have been successful only because I was able to exploit insecure Web applications on networks that were otherwise very secure," he says.

When von Kleist was asked why he thought Web applications are often full of vulnerabilities, he said it's the disconnect between those creating the software and those left to secure the network. "They work in isolation, with security having little involvement until it's too late and the [vulnerable] end result has already been deployed into production."

What else made the list? Exposed administration and management interfaces for application servers, network devices, and content management systems came up often, followed by information leaked by devices printers and videoconferencing systems; outdated and/or unsupported software, often with insecure default settings; and exposed Web services.

"We often find that administrative or management interfaces are available to an external attacker," says Kevin Johnson, senior security consultant at Secure Ideas. Some of the examples mentioned include Web-based management interfaces for JBoss, Tomcat, and ColdFusion, and administration services like SSH and SNMP.

Johnson stated that software packages are often installed that include ColdFusion or JBoss servers without realizing whose servers include admin consoles. "These admin consoles regularly have default credentials or vulnerabilities," Christian said

In addition to accidentally exposed management interfaces, pen testers are leveraging information leakage from Internet-facing network devices. Some of these exposures include printers and videoconferencing systems. With default credentials or no password set on the printers and videoconferencing systems, attackers can steal usernames, passwords, and internal IP addresses, and even launch attacks against internal systems.

Last year, HD Moore, CSO at Rapid7, demonstrated how videoconferencing systems could be easily identified through network scanning used to bug conference rooms. He found 5,000 systems sitting on the Internet waiting to automatically accept calls. On some of them, he was able to "listen into nearby conversations and record video of the surrounding environment -- even read e-mail from a laptop screen and passwords off of a sticky note that was 20 feet away," he said.

Secure Ideas' Johnson said that one of the worst things his team sees is the exposure of Web services or business and points.

"These services are often used by business partners or applications, such as mobile apps use by the marketing department," he said. "Since these endpoints are designed to be communicated with using client applications instead of directly by users, developers often feel that they require fewer controls since the application is 'trusted.'"

Why such a concern over exposed Web services? Johnson said lack of security controls make them a great entry point for a determined attacker. During their penetration tests, they can directly show the business impact an exploit once they've been compromised.

The big question, of course, is how should enterprises address these issues so they don't become another statistic or feather in the cap of a pen tester? In almost every case, knowing what's on the network is critical. Security teams should be performing regular network scans to identify new systems and services as soon as they come online.

A common area where enterprises fail is knowing what's externally accessible. Capabilities need to be in place so that the organization can scan all externally facing IP addresses for new hosts and services in addition to regular vulnerability scans that would detect most of the vulnerabilities discussed. Beyond the regular scans, security needs to be more involved in the development, purchase, and deployment of Web applications -- but we all know that's much easier said than done.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17610
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.
CVE-2019-17611
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.