As an exercise last week, 5 members of the MSI penetration testing team got together for a lunch hour exercise. The results were well worth noting.
In just under 1 hour, the team set forth to find out how many web-based application security issues they could identify in public sites. The rules were that they could not use any search engines, scanning or tools except the browser. Obviously, they could only footprint for the vulnerabilities and not verify or exploit them. However, since foot printing the presence of application issues is usually quite accurate, the data should be viewed as serious.
The sites they could target were also focused to common sites, and the list was adaptive – for example, several times they would find that several types of sites would be vulnerable, after they had identified a few of those types of sites, then further counting those types of sites would be off the table, so to speak. This ensured that the gathering did not get focused on specific types or trends of sites.
The team had decided beforehand that they would focus on three specific types of web-application issues: SQL injection, bad error pages that leaked too much information and cross-site scripting. All three of these issues are contained in the OWASP top 10 vulnerabilities.
Here is what they found:
• 12 bad error pages – we were surprised there were not more of these, but a dozen was bad enough and we were pretty stringent on what qualified, the leaking data had to be pretty egregious.
• 2 SQL injections – one revealed an underlying MySQL database in the error message, the other showed an ODBC error and revealed some source code for a connection to Microsoft SQL Server.
• 28 cross-site scripting issues – these were found so often that they kept us hopping to keep count of them, it seems that many many common sites suffer from XSS vulnerabilities. It is no wonder attacks leveraging them have become so common.
There you have it – 42 vulnerabilities in under an hour! Some of the sites identified were government sites, popular retailers and all kinds of other sites. I guess it just goes to show that we still have some to work to do…