Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:29 PM

Tech Insight: The Most Common Vulnerabilities Found By Penetration Tests

Professional pen testers share which holes they find the most in clients' networks

Headlines of hacked networks and successful attack campaigns, such as the recent Anonymous attack against the top 100 universities, regularly leave organizations wondering how the bad guys got in and why it seems so easy. What common mistakes are being made in these different organizations that are being attacked? What are some of the top vulnerabilities that are being exploited to get in?

We asked a variety of penetration testers -- some working in university and business environments, and others who are full-time security consultants performing penetration tests every week for clients of all types -- which main flaws they are typically able to exploit.

Nearly every pen tester we talked to had a similar list of vulnerabilities. At the top of every list was SQL injection, cross site scripting (XSS), or insecure websites, in general. Surprising? Not really. Often, the entry method of choice we hear about from Anonymous' exploits is through SQL injection. Once the Web server and underlying database server have been compromised, it's relatively easy to exploit those servers' trust relationships and stored passwords to hop to other juicy targets.

Christian von Kleist, senior security analyst at Include Security, said that Web servers are typically what he notices first during an external pen test. "Many of my pen-testing engagements have been successful only because I was able to exploit insecure Web applications on networks that were otherwise very secure," he says.

When von Kleist was asked why he thought Web applications are often full of vulnerabilities, he said it's the disconnect between those creating the software and those left to secure the network. "They work in isolation, with security having little involvement until it's too late and the [vulnerable] end result has already been deployed into production."

What else made the list? Exposed administration and management interfaces for application servers, network devices, and content management systems came up often, followed by information leaked by devices printers and videoconferencing systems; outdated and/or unsupported software, often with insecure default settings; and exposed Web services.

"We often find that administrative or management interfaces are available to an external attacker," says Kevin Johnson, senior security consultant at Secure Ideas. Some of the examples mentioned include Web-based management interfaces for JBoss, Tomcat, and ColdFusion, and administration services like SSH and SNMP.

Johnson stated that software packages are often installed that include ColdFusion or JBoss servers without realizing whose servers include admin consoles. "These admin consoles regularly have default credentials or vulnerabilities," Christian said

In addition to accidentally exposed management interfaces, pen testers are leveraging information leakage from Internet-facing network devices. Some of these exposures include printers and videoconferencing systems. With default credentials or no password set on the printers and videoconferencing systems, attackers can steal usernames, passwords, and internal IP addresses, and even launch attacks against internal systems.

Last year, HD Moore, CSO at Rapid7, demonstrated how videoconferencing systems could be easily identified through network scanning used to bug conference rooms. He found 5,000 systems sitting on the Internet waiting to automatically accept calls. On some of them, he was able to "listen into nearby conversations and record video of the surrounding environment -- even read e-mail from a laptop screen and passwords off of a sticky note that was 20 feet away," he said.

Secure Ideas' Johnson said that one of the worst things his team sees is the exposure of Web services or business and points.

"These services are often used by business partners or applications, such as mobile apps use by the marketing department," he said. "Since these endpoints are designed to be communicated with using client applications instead of directly by users, developers often feel that they require fewer controls since the application is 'trusted.'"

Why such a concern over exposed Web services? Johnson said lack of security controls make them a great entry point for a determined attacker. During their penetration tests, they can directly show the business impact an exploit once they've been compromised.

The big question, of course, is how should enterprises address these issues so they don't become another statistic or feather in the cap of a pen tester? In almost every case, knowing what's on the network is critical. Security teams should be performing regular network scans to identify new systems and services as soon as they come online.

A common area where enterprises fail is knowing what's externally accessible. Capabilities need to be in place so that the organization can scan all externally facing IP addresses for new hosts and services in addition to regular vulnerability scans that would detect most of the vulnerabilities discussed. Beyond the regular scans, security needs to be more involved in the development, purchase, and deployment of Web applications -- but we all know that's much easier said than done.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.