Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Vulnerability Spidey Sense - Demystifying PenTesting Intuition

In Louisville, Kentucky next month at Derbycon, Daniel Crowley and I will be giving our presentation Vulnerability Spidey Sense - Demystifying PenTesting Intuition. The point of the talk will be that little mistakes and small vulnerabilities in a web application can give pointers to an attacker about where to focus their efforts. As penetration testers, we aren't fortunate enough to have an unlimited amount of time to review the security of an application, yet malicious attackers have as much time as they need to exploit a security hole. By paying attention to detail and focusing our efforts on the places that vulnerabilities are most likely to be found, we can attempt to close the gap between PenTester and attacker.

Here are some examples that might indicate further vulnerabilities in an application.

Weak password policies and security questions

Allowing users to choose weak passwords can allow an easy brute-forcing opportunity for an attacker; and weak security questions, such as prompting for the user's birthday, can be discovered through basic investigation into a user through social media. However, bad policies such as these can also indicate that the developer of an application does not understand some security best practices, and could lead to other findings deeper in an application.

Test pages and default content

Before moving an application over to production, all test pages and default content (the php info page, for example) should be removed from the web server. Default pages can be used to reconnaissance an application, and in some cases even provide additional functionality that may be useful to an attacker. Test pages that were created during the development process, even if their function doesn't prove useful to an attacker, may not be help to the same level of scrutiny from a security perspective that other portions of the application are held, providing a useful gap in the applications security for an attacker to exploit. Finding these items may also indicate that there is additional content to be found if examined carefully.

Old technology

Seeing an application that is written in ASP, or is running on IIS 5 or 6 should set off immediate warning bells during a penetration test. Seeing old technology that is still in use can be a strong indication that an application is vulnerable to old or well-known vulnerabilities. Experience or a little research can help you find well documented vulnerabilities and instructions for how to exploit them.

By watching for indicators such as these, a PenTester can more easily prioritize their tests and focus on the aspects of a system that are most vulnerable. Daniel and I will be discussing these, and many other warning signs that an application is ripe for an attack, this year at Derbycon.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo