At Hootsuite, we perform penetration tests to ensure that our software and services are secure and compliant. Penetration testing (or “pen testing” for short) is a security process in which the tester attempts to exploit software using security vulnerabilities. The goal of our pen testing is preventative: to find as many security vulnerabilities in our products so that our development team can fix them.

In the field of security, there is more than one type of hacker. A hacker is categorized based on their motivation: Black hat hackers are those who seek to exploit software security vulnerabilities for malicious intent, White hat hackers are those who hack in an ethical way and try to to avoid causing damage the systems they attempt to penetrate. Pen Testers are White Hat hackers. By understanding the mindset of black hat hackers, white hat hackers can give organizations insight on how to further harden and secure the organization’s infrastructure to reduce security threats.

A Bird’s Eye View of Pen Testing
A Bird’s Eye View of Pen Testing

There are many guidelines to perform pen tests. Typically, the steps are broken into 3 phases: reconnaissance, scanning, and exploitation. These steps resemble the same steps that a black hat hacker would use for an attack. Here’s a summary of a common standard execution plan from pentest-standard.org:

  • Pre-Engagement: This step establishes the relation between the penetration testing team and the owner of the target software or system. Pen tester(s) and the product owner will agree to a contract including the scope of the penetration test, security concerns, compliance requirements and procedures after the system is penetrated.
  • Intelligence Gathering: Pen testers in this step will gather as much information about the product or company. The information includes the technical aspect of the company such as ports that are open or what technology stack the product uses. It also includes the social organization aspect of the company such as relevant personnel.
  • Threat Modelling: The pen tester and product owner will work together to define the business assets and threats. They determine the risk level of the assets through risk analysis and determine the threat agents.The pen tester and product owner will analyze each threat agent and gather information revolving their capabilities and motivations. For example, the pen testers and product owner will rank the network operations analyst as a higher threat to the UI designer because the network operations analyst will have most likely have more knowledge of the infrastructure than the UI designer.
  • Vulnerability Analysis: With all the information established from previous steps, the pen tester can proceed to vulnerability analysis. During this step, the pen tester will poke around the web application within the scope of the penetration test.
  • Exploitation: Once a vulnerability is found, the pen tester will carefully use the vulnerability for an exploit. In web application penetration tests, it’s highly recommended to perform this step in the staging environment since there may be a vulnerability that could potentially cause significant damage.
  • Reporting: At this step, the penetration tester or team will provide a written document on their discoveries and provide risk analysis on the discoveries.

Internal vs External Penetration Testing

Both external and internal pen tests bring a lot of value to the company and stakeholders. In the world of web software-as-a-service, internal penetration tests generally focus on the web application level, so the pen test scope and pen test time is a lot smaller compared to external penetration tests. Since penetration testers are often employed in the same company as the target system’s owner, internal penetration tests require less effort on the contractual phase and more on threat modelling and vulnerability analysis. Hence, internal penetration tests can work really well in an agile workflow. These penetration tests can simulate an insider attack or a remote attacker that already has access to a part of the system or network.

An external penetration test simulates a remote attack and generally has a larger time frame to cover a broader scope. Due to the broader scope, it means that more effort is spent on pre-engagement and intelligence gathering.

What a Pen Tester is Looking for in Your Software?

Both white hat and black hat hackers are concerned on discovering security vulnerabilities and how to exploit the vulnerabilities. OWASP (Open Web Application Security Project) created a top 10 security vulnerabilities list.

OWASP Top 10

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

Discovering security vulnerabilities is where the bulk of penetration testing resides. Pen testers can then perform controlled attacks and assess the impact of the vulnerability.

Our Preferred Pen Testing Tools

Our primary tool of choice for web application penetration testing at Hootsuite is Burp Suite Pro by PortSwigger. Burp Suite Pro provides a number of tools such as network traffic and intrusion analyzers that allow you to set payloads and customize or repeat attacks. The three tools Burp Suite Pro that we use often are Proxy, Repeater, and Intruder. Proxy allows us to intercept HTTP requests. From here, we are able to see the full HTTP request and response of the web application we are pen testing. If we want to save an HTTP request for later or repeat it, we can send the HTTP request to the Repeater tool. If we want to perform fuzzing or a brute-force attack using the HTTP request found in the Proxy tool, then we can create payloads in the Intruder tool. Combining these tools in Burp Suite allows us to do very customized attacks. To round out our arsenal, we also use nap, Nikto, sqlmap, and Nessus Web Scanner.

Screenshot of the Intruder tool from Burp Suite. The user finished an attack that consisted of sending modified http requests from a payload list. The user fuzzed the field shown in the yellow highlight in the screenshot. The payload values used in the fuzzing are shown in the payload column.
Screenshot of the Intruder tool from Burp Suite. The user finished an attack that consisted of sending modified http requests from a payload list. The user fuzzed the field shown in the yellow highlight in the screenshot. The payload values used in the fuzzing are shown in the payload column.

Although you could download most of the tools yourself, there are special linux distributions such as Kali Linux that were built specifically for pen testers and computer security folks. They come preloaded with a ton of tools that will assist you in the reconnaissance, scanning, and exploitation phases, as well as reporting tools.

Getting Started as a Penetration Tester

Learning computer security and penetration testing is rarely taught in university programs in Canada and around the world. However, there are specialized college programs that teach network security, and penetration testing is usually a specialization under the network security banner. There are professional certifications that can help with finding a job in the field, including the CEH (Certified Ethical Hacker), OSCP (Offensive Security Certified Professional), and the security industry standard CISSP (Certified Information Systems Security Professional).

I started penetration testing when I got to Hootsuite, using an application called Damn Vulnerable Web Application. Damn Vulnerable Web Application is exactly as described: a really damn vulnerable app that is not recommended for installation on any public facing servers. It’s a web app written in PHP 4 / 5 and MySQL 2.0, with 4 security levels (Low, Medium, High and Impossible). The sanitization and security checks change as you increase the difficulty, honing your skills.

An example of DVWA, a simple command injection on medium level security
An example of DVWA, a simple command injection on medium level security

There are many legal ways to start penetration testing, using other vulnerable web applications and war games. There are also competitions, like capture the flag. In capture the flag, one team is given a flag to store in their systems, while the other team attacks in an attempt to access it. The goal is to either protect your flag, or get in using any method possible. After a round, the teams will switch sides so everyone has an opportunity to both attack and protect.

Takeaway 

Penetration testing (and hacking in general) requires a great deal of creativity and pragmatism. You have to think outside of the box, while maintaining the methodical mindset of a test engineer as you test across several levels of abstractions. It’s best to practice on local machines you own or have permission to test on. There are a number of legal ways to practice and perform penetration tests mentioned in this blog post so be sure to explore them. Never attempt penetration testing on a server without prior approval, because it is illegal and you can get into trouble.

The results gained from penetration tests should help assist you in making your products and important assets more secure.

Further Reading

image01About the Author

Andy was a 2015 Winter co-op Security Developer on the Security and Compliance team. He is interested in software engineering, security, IOT, skiing, spicy food, and coffee. Follow him on Twitter @andydotleung.