A crazy thing happened at work - I’ve been interested in Application Securty
and pentesting for almost 2 years now, but only recently have I started to become
more active in order to gain knowledge.
They knew this at work, so I called for a 1:1 with my supervisor, and asked
What if I’d take ownership of our application’s security?
I’ve prepared some notes why I want to do this (self development, motivation),
or why is it good for the product & company (big customers will be interested to know where
and how their data is stored and retained at the very least), but to my surprise,
before I could even start vouching for myself, the answer was
Yes, we’d love that to happen
I was quite surprised by the answer, but their reasons were very similar to what I was about to say.
Win-win, right?
After some internal celebration (while keeping a straight face), I started to make plans
on what I’d like to do in my new position.
The Pentest
As the 0th step, I started to pentest our application - I didn’t expect
any mind blowing results, since I’m biased by knowing the internals and I’m
not that good yet to find non-obvious issues. For the record, and without giving away too much:
the application is using Angular on the client and Django on the server, all on AWS.
With this in mind, I still went ahead and did it, and I was quite pleased, because:
- I could run my first ever brute-force attempt on a real site - I didn’t get a password
for the account I was using, but that won’t make it any less of an issue.
The command I used ishydra -l [email protected] -P ~/Downloads/rockyou.txt xxx.xxx.xxx.xxx http-post-form '/oauth/token:username=^USER^&grant_type=password&password=^PASS^:Unauthorized' -V
- I did implement a CSRF and a Clickjacking PoC - CSRF couldn’t be exploited, but due to a missing
X-Frame-Options
header, the latter PoC worked, YAY! Also made a note that the original site issub.domain.com
, andsub-domain.com
is available, so it’d be easy to fool someone. - Every single user input field I’ve found I tested for XSS - with all the wonky characters you can imagine (and even emojis) - I must say I was impressed when nothing I tried has worked. I’ve also tried uploading avatars with names like
-1.jpg" onerror="alert(1)"
, but again, it was all sanitized. - SQL Injection didn’t work - but I wasn’t expecting it anyway
- I’ve found 3 CVEs for our dependencies, but they all relied on certain configurations, which
we didn’t have - lucky us I guess? - I did find a couple of misconfiguration issues, and a way of triggering an Internal Server Error
with a file upload, which sounds interesting, maybe I could do something with it.
You know what they say:
If you failed a pentest, you know where your biggest vulnerabilities are, if you passed one, it doesn’t mean you’re secure, but instead it means you don’t know what are your weaknesses
While I really enjoyed doing the above, and will carry on doing it for a couple of days to see if I can find anything
meaningful, I’d like to involve an external pentester team at some point.
What’s next?
The next step is to write my first ever pentest report - which I’m looking forward to, there are a couple of
good templates in this repo that I plan
to borrow some inspiration from.
I received some advice as well, one of them I think is probably the most important:
… Which means first you need to build solid relationships with your development teams. You want them to feel comfortable. You want them to feel they won’t be slowed down coming to you. It needs to be a clean /good process for both sides.
Since I’m still part of the development team, I think this one is going to be relatively easy, but I think this is a very crucial part of one’s success as a security enthusiast.
The other is not much of an advice, but a good starting point, the “Your code”, “Your application”,
and “Your product users” sections in the SaaS CTO Checklist will help you come up with the basics, and will point you to things you should learn about.
Summary
If you want to be involved with the security aspect of the software you’re working on,
try to make the first step! I was surprised this was all it took, but yet here I am - and I think you can do this too!
Especially if you’re working at a smaller firm, I think security is more important, since if they lose
the trust of their users, it can mean the end of their company, whereas larger companies (ever heard of Equifax?)
can survive breaches, either because they have the money to endure while they rebuild trust, or
have something else that’ll make them resilient to losing customers.
As I’m celebrating this new position, please accept my virtual or a (even a if that’s your game)!
And as always, thanks for reading