Penetration Testing Report
Penetration testing is a way to assess the security level of systems, applications, mobile devices and infrastructure.
A pen test report, which is provided to the customer at the end of the process, details all the findings and recommendations for repair. The document is an official approval accepted by all international cyber compliance requiring to preform a PT.
Penetration Testing Report- Executive Summary
The first part of the report includes administrative details such as:
- The purpose of the test- To identify the cyber risks facing the client’s application environment and infrastructure, and to provide recommendations for repair.
- Start and end date of the test
- Tested assets – a breakdown of the client’s assets tested in this exam (websites, API, networks)
- General recommendations
Penetration Testing Report- Methodology
The test featured in the report is done as a Gray-Black box penetration test, the most common.
In the Gray Box test, Redentry’s penetration testers receive limited information about the organization and the information systems. In some cases, limited access to the corporate network is given and the test can be performed as an external or internal attacker.
The Black Box test begins as an external test, and later continues as an internal test if the testers were able to penetrate the network.
The combination of the two is common and requires sharing partial information to the testers.
Redentry’s penetration tests comply with international standards established by the leaders in the field – OWAS, NIST, SANS.
The report includes a list of attacks carried out in the test, divided by category:
Information Gathering – Using advanced tools to scan and discover the client’s digital components. These tools look for the technologies building blocks-supported SSL versions for example. Ig the server supports an old, vulnerable version it can be used for an application attack.
Configuration – Mapping basic protection systems in websites and APIs, such as installed firewalls.
Identification mechanism – Examining the security of the login process.
Defense Systems – Validating the implementation of defense mechanisms against brute force attacks and SQL injections. These mechanisms are designed to examine suspicious behavior – such as high volume traffic from one IP address, and respond to this suspicious behavior by automatically blocking.
Privilege Escalation – Assessing an average user’s privilege’s, and attempting to gain further access to restricted data by privilege escalation.
Penetration Testing Report- Findings
The findings of the penetration test are divided according to the severity of the finding, meaning how severe the consequences will be if the weakness is exploited. Each finding includes:
- Weakness summary and repair recommendations
- Consequences of weakness exploitation
- Proof of Concept – evidence in the form of a photograph from the application/network
Critical Finding – Insufficient protection against Brute Force.
To perform a brute force attack, a hacker attempts to login to a users account by running a code that uses all possible passwords. When the hacker has no prior knowledge regarding the password pattern, they start with the shortest passwords and when all options for a password of a certain length are exhausted, the code switches to longer passwords, systematically going through the lengths.
Recommendations for correcting a finding-
- Limiting account login attempts
- Using two-step verification
- CAPTCHA implementation
High level finding– Lack of rate limiting mechanism to restrict login attempts.
This weakness can be exploited by hackers to preform-
- Brute Force attacks – Random login attempts. .
- DDOS attack – a denial of service attack floods the server with a large amount of requests, causing the server to crash. To create the load, hackers connect various devices infected with malware, from computers and cell phones to refrigerators and home security systems. These devices can work normally so that the owners of the device are not even aware that their cell phone has been added to the “army of bots” involuntarily.
Recommendations for correcting the weakness-
- Installing a WAF – a firewall for network applications and is a filter for users who wish to exploit the website’s vulnerabilities for malicious purposes.
- Checking the original IP address.
- Do not save the login attempts in cookies, because users can access and edit the cookies
Scope Your Penetration Testing Project
Medium severity level finding – an old version of TLS
TLS is a cryptographic protocol that protects data from being read or modified while in transit over the computer network. The common use of this protocol is to protect the information passing through emails and HTTPS websites.
TLS 1.0 is the first version of the protocol, released in 1999, and has now been deprecated due to serious security weaknesses and a weak encryption mechanism.
Recommendation for correction – blocking the option to use TLS 1.0 and replacing it with a more recent version of 1.2 or higher.
Low level severity finding – Missing security headers.
Security headers are parameters that assist the browser to manage a website’s behavior, a sort of do’s and don’ts instruction page. Adding the security header improves resistance against common attacks.