THE BACKGROUND

Fimatix were approached by a client with a time-critical security testing requirement. Their solution was due to be audited by an external auditor, and one of the requirements was that penetration testing had to have been carried out that year.

THE APPROACH

Using penetration testing knowledge and experience, specialist tools and manual verification of issues, Fimatix strove to find and identify security issues with the application under test and its underlying environment, and also provided advice on issue remediation and the impact of the issues not being fixed from a security perspective. Additionally, Fimatix made recommendations on how the client can improve their own security test coverage and how they can incorporate security testing within their processes going forward.

THE TOOLS

In order to penetration test the web application and environment, we chose multiple tools to provide extensive testing coverage.

•  OPEN-SOURCE TOOLS - OWASP Zed Attack Proxy, ZenMap, SQLMap, OWASP Dependency-Check, Qualys SSL Server Labs.

•  COMMERCIAL TOOLS - Fortify WebInspect, Burp Suite Professional.

THE FINDINGS

The test found multiple issues and useful findings. Identified application security issues included user sessions with no timeout set, no client-side or server-side validation / limits on field input allowing malicious code entry with potential to causes CPU / memory exhaustion issues and restricted content on the filesystem available through traversing system URLs. Identified environmental issues included the use of the vulnerable Point-to-Point Tunnelling Protocol (PPTP), support for weak TLS protocols and identified third-party component issues such as using insecure versions of Payara Server Enterprise.

THE RECOMMENDATIONS GOING FORWARD

In addition to recommending that the issues identified be fixed by the appropriate configuration and code changes, the following future recommendations were made to the client to help apply security testing process at levels beyond black box penetration testing with DAST (Dynamic Application Security Testing) tools.

•  SAST (Static Application Security Testing) - SAST is a testing method designed to analyse the application source code for security vulnerabilities, which means we do not need to dynamically run the web application to perform it. We advised that tools such as SonarQube, Veracode, Fortify Static Code Analyzer or open-source Find Security Bugs should be used regularly to proactively check code for security issues in the DevOps pipeline.

•  SCA (Software Composition Analysis) - In accordance with the OWASP Top Ten category A06:2021 - Vulnerable and Outdated Components, this penetration test included the use of OWASP Dependency-Check for SCA which is useful for identifying vulnerabilities in third-party components used in the code. We advised this should be used on a regular basis to keep all third-party components used secure and up-to-date.

THE OUTCOME

The security defects found against the application under test and supporting environment were fixed and retested and the final penetration testing report was provided to help meet the audit requirement. The client was also able to make the aforementioned process improvements to help improve security issue detection within their development process.