Penetration Testing with Kali Linux OffSec
|
|
Listing 28 - Pertinent Details
Next, we’ll prepare the long-form Executive Summary. This is a written summary of the testing that provides a high-level overview of each step of the engagement and establishes severity, context, and a “worst-case scenario” for the key findings from the testing. It’s important not to undersell or oversell the vulnerabilities. We want the client’s mental model of their security posture to be accurate. For example, if we’ve found an SQL injection that enables credit card details to be stolen, then that represents a very different severity than if we’ve found an authentication bypass on a system hosting public data. We would certainly emphasize the former in the Executive Summary, but we may not highlight the latter in this section. We should make note of any trends that were observed in the testing to provide strategic advice. The executive doesn’t need to be given the full technical details in this section, and technical staff will be able to find them as each vulnerability will be expanded upon in later sections of the report. What we can do, however, is to describe the trends we’ve identified and validate our concerns with summaries of one or two of the more important related findings. To highlight trends, we want to group findings with similar vulnerabilities. Many vulnerabilities of the same type generally show a failure in that particular area. For example, if we find stored and reflected XSS, along with SQL injection and file upload vulnerabilities, then user input is clearly not being properly sanitized across the board. This must be fixed at a systemic level. This section is an appropriate place to inform the client of a systemic failure, and we can recommend the necessary process changes as the remediation. In this example, we may encourage the client to provide proper security training for their developers. It is useful to mention things that the client has done well. This is especially true because while management may be paying for the engagement, our working relationship is often with the technical security teams. We want to make sure that they are not personally looked down upon. Even those penetration tests that find severe vulnerabilities will likely also identify one or two areas that were hardened. Including those areas will soften the impact on people, and make the client more accepting of the report as a whole. The Executive Summary can generally be broken down as follows: First we include a few sentences describing the engagement: - "The Client hired OffSec to conduct a penetration test of their kali.org web application in October of 2025. The test was conducted from a remote IP between the hours of 9 AM and 5 PM, with no users provided by the Client." Listing 29 - Describing the Engagement Next, we add several sentences that talk about some effective hardening we observed: - "The application had many forms of hardening in place. First, OffSec was unable to upload malicious files due to the strong filtering Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 105 in place. OffSec was also unable to brute force user accounts because of the robust lockout policy in place. Finally, the strong password policy made trivial password attacks unlikely to succeed. This points to a commendable culture of user account protections." Listing 30 - Identifying the positives Notice the language here. We do not say something like “It was impossible to upload malicious files”, because we cannot make absolute claims without absolute evidence. We were given a limited time and resource budget to perform our engagement and we ourselves are fallible. We must be careful to make sure our language does not preclude the possibility that we were simply unable to find a flaw that does actually exist and remains undetected. Next, we introduce a discussion of the vulnerabilities discovered: - "However, there were still areas of concern within the application. OffSec was able to inject arbitrary JavaScript into the browser of an unwitting victim that would then be run in the context of that victim. In conjuction with the username enumeration on the login field, there seems to be a trend of unsanitized user input compounded by verbose error messages being returned to the user. This can lead to some impactful issues, such as password or session stealing. It is recommended that all input and error messages that are returned to the user be sanitized and made generic to prevent this class of issue from cropping up." Yüklə Dostları ilə paylaş:
|