Exploiting Timed Based RCE

Checking the timeIn a recent penetration testing project we encountered a situation where in order to prove exploitability and possible damage we had to exfiltrate data from an isolated server using an OS command injection time based attack.

The scope of the project was an API. During the testing process we identified an interesting GET request that received 2 parameters: the first  a string and the other one ID number.

By fuzzing the string parameter, at first, it looked like we had a potential SQL injection, based on the way it handled single quotes. Trying this attack vector didn’t seem successful, but when we sent the ` sleep  10` command and the HTTP response returned 10 seconds later, we knew we had something.  Our first thought was that this was game over for the application, we managed to get a Remote Code Execution on the API server.

Continue reading

5 Benefits of a penetration test

benefits of penetration test imagePenetration testing projects are definitely fun for the passionate pentesters.

However, the question is what are the real benefits of a pentest for the client company?

What is the real value of a penetration test?

 

Many clients have misconceptions and false assumptions about penetration testing and they are engaging this type of projects for the wrong reasons, like:

  • After a penetration test I will be safe
  • A penetration test will find all of my vulnerabilities
  • I’ve heard that pentesting is ‘sexy’ so I would like one myself

Companies who do penetration tests for these reasons do not get the real benefits of this service and they are practically throwing away the money.

From my perspective, a penetration test has the following true benefits for the client company:

Continue reading