What is a Web Application Penetration Test? The Open Web Application Security Project (OWASP) defines a web application security test as “…an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities”. This is an excellent definition of a web application penetration test, but this article will dive a bit deeper in why you should have one performed for your organization.

Overview of a Web Application Penetration Test

A web application penetration test (“Web app pentest”), is a tactical assessment to uncover vulnerabilities and weaknesses within an application. It tests many aspects of course, but the important thing to understand is that this is a where a security vendor will actively act as a hacker (or attacker) and exploit potential vulnerabilities.

Benefits of a Web App Pentest

Lucid Security has experienced a large variety of applications and industries for it’s clients. Because of this, Lucid has a unique take on approaching an application. By and large, many security vendors focus on a single industry or niche area. While that can be absolutely beneficial, Lucid has the opportunity to view many different types of functionality, business logic, implementations, etc. This allows us to build out a robust custom methodology when testing applications. Lucid Security strives to uncover critical vulnerabilities such as injection-style vulnerabilities (i.e. cross-site scripting (XSS), SQL injection (SQLi), etc.), as well as business logic flaws where an attacker can take advantage of areas in the application to bypass intended functions.

Further, what are the practical implications or impact of a vulnerability? This is something that Lucid Security can specifically target, and is an objective that Lucid will actively seek when defined by a client during the kickoff call. It is not uncommon for a client to worry about risks such as authorization weaknesses where ‘Organization A’ could view ‘Organization B’s’ sensitive data/information. This is always a standard issue that Lucid Security attempts to identify during a web app pentest.

Lastly, Lucid Security offers at no additional cost a certification letter to attest that the client has received penetration testing in which they can disseminate this document to current and potential customers in order to receive further business. A common requirement for companies these days when assessing a vendor, is to require penetration testing and/or vulnerability assessments.

Risks of a Web App Pentest

With all of Lucid’s articles, we try to highlight the benefits, as well as the risks for any tactical assessment. The reason for this is there is always room for error and where things can go wrong, especially during an active penetration test. However, there are mitigating controls and things that can be done to prevent such issues from arising. First off, the client will always have the opportunity to call out specifically risky areas of the application which may cause an email to trigger, a process to be initiated, or a cost to be incurred. Further, vulnerabilities can arise that may cause disruptions/downtime. These vulnerabilities may not always be obvious, but is something that is made aware to the client before initiating testing. For this reason, Lucid recommends conducting testing in a QA or dev environment that mirrors a production build of the application.

Conclusion

A web app pentest is a important and necessary assessment to uncover potential vulnerabilities. In identifying these vulnerabilities, a organization can then remediate the issues and ensure that their clients data is secure. As previously mentioned, a certification letter attesting that an organization has received penetration testing can further strengthen organization/vendor relationships, as well as development new business.

How Lucid Security Can Help

Lucid Security consists of seasoned security professionals with decades of experience in security and penetration testing. Our unique and competent perspective enables us to enhance clients’ security environments. Please contact us today to learn more about our services and how we can make your organization more secure.

A common theme amongst clients when conducting penetration tests is a large attack surface. Generally, the biggest risk is amongst externally exposed assets. However, this can be related to internal penetration tests and web application penetration tests. This blog post will briefly examine the biggest risks associated with a large attack surface.

Unknown Assets

It is not uncommon for companies to have unknown assets exposed to their networks. Historically, Lucid Security has encountered client’s who have acquired other companies. As such, they assume control of the assets that the acquired company. This can lead to client’s having exposed assets that they are unaware of, or not inventoried. If this is the case, these assets may go unpatched/updated leading to further security vulnerabilities.

Test Content

It is important for organizations to continue to grow and evolve. Because of that, IT administrators may test out new software and services. While this is a great idea, unfortunately this test content may find itself exposed externally to the Internet. By testing out software and exposing it to the Internet, typical hardening procedures may have not been made.

Excessive Logging Solutions Exposed

Oftentimes for development reasons, logging software is included in dev/staging environments. However, organizations may forget to exclude them from their applications or external perimeter. This can lead to information disclosures such as database information or internal server architecture.

Conclusion

Between an everchanging security climate and regular development procedures, it is possible for organizations to expose more information/assets than necessary. For this reason, Lucid Security recommends conducting annual penetration testing and at a minimum quarterly external vulnerability assessments to stay on top of issues.

How Lucid Security Can Help

Lucid Security often conducts penetration testing and vulnerability assessments. Our services are catered to assist in identifying issues and help provide expert remediation advice. Contact us today to get started!

Lucid Security Engineers regularly encounter HTTP headers during web application or network penetration testing that reveal potentially sensitive information such as application architecture, server versions, or information about the underlying host system. These types of information disclosure vulnerabilities can be utilized by attackers to quickly determine vulnerable server versions and perform more targeted attacks. As a developer, system administrator, or IT manager you probably find these types of findings frustrating! Here’s how to remediate “HTTP Response Header Information Disclosure”:

Nginx

To remove the “Server” or “X-Powered-By” headers for a Nginx server, implement the following:

• In the nginx.conf file, set:
  “server_tokens off”
• In the case of a load balancer, remove the “Server” header from responses
• To completely remove the “Server” header, compile Nginx with the Headers More module and add:
  “more_clear_headers ‘Server’;”

References

https://serverfault.com/questions/214242/can-i-hide-all-server-os-info

https://github.com/openresty/headers-more-nginx-module#readme

Apache

Like Nginx, you can either rewrite the “Server” header value or add an additional module to completely remove it:

• Utilize the URL Rewrite module and configure an outbound rule to change the “Server” header value. This can also be set to a blank value.
• To completely remove the “Server” header, utilize the StripHeaders module to rewrite all HTTP response headers.

References

http://httpd.apache.org/docs/current/mod/mod_headers.html

IIS

Microsoft IIS makes removing HTTP headers pretty easy, with the notable exception of the “Server” header. Luckily we dug around and found a way to do this on Windows Server 2016, 2019 and newer.

• Open the web.config file in the root directory of the site, after <system.web> add:
  <httpRuntime enableVersionHeader="false" />
• To remove the “Server” header (Windows Server 2016/2019), configure requestFiltering in the web.config system.webServer node:

References

https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710

https://www.ibm.com/support/pages/disabling-iis-web-banner-and-other-iis-headers

Conclusion

Fixing information disclosure issues can be painful, but we’re here to help. Hopefully this short post on how to remediate HTTP response header information disclosures was helpful. For up to 90 days after a penetration test, Lucid Security offers free retesting of discovered vulnerabilities. Reach out to us and schedule a security assessment today!