The technological revolution of the last 20 years has seen cybercrime evolve as much as, if not more than, its counterpart, cybersecurity. Some recent forms of cybercrime include:
- New attack vectors
- Monetization of breaches by distributing state-of-the-art ransomware
- Data exfiltration and extorsion
Combining zero-day exploits with human-operated attacks is eye-opening for organizations to reduce their attack surface and level up the patching game.
A penetration test is a black-box exercise by ethical hackers to find and exploit weaknesses in the network, infrastructure, applications, APIs, etc. If done regularly, it is very efficient in discovering vulnerabilities and weak points.
There is an essential difference with the advent of bug bounty platforms like Bugcrowd, Synack, and HackerOne.
A penetration test is limited in time, bound by contractual agreements between the client and the penetration tester(s), as well as by the pen testers’ abilities.
In a bug bounty program, the client asks bug bounty hunters (security researchers) to identify vulnerabilities in the defined scope, often throughout a year.
Because of the explosion of social media, several bug bounty celebrities have released their internal tools to the public. This article focuses on the tools and methodology that penetration testers and bug bounty hunters use to find vulnerabilities.
Penetration testing tools are illegal when used without explicit written permission by the client, the so-called “out-of-jail card.”
Burp Suite Professional
Burp Suite Professional is a web proxy intercepting all web traffic from the browser, a mobile app, or an internet application. For many years, it has been the most used web proxy to test web applications and APIs. Burp Professional’s founding company, Portswigger, comprises well-known security researchers like Dafydd Stuttard and James Kettle. On their website, there is an interesting quote by Dafydd: “I created Burp Suite as a side project when I was working as a penetration tester a long time ago. I was lazy and wanted to automate my job. I ended up having more fun working on the software than doing actual testing, so I decided to focus on that.”
Dafydd is also the author of one of the best books available on web security: “The Web Application Hackers Handbook” (short, “WAHH”), published a decade ago. The book can be considered a penetration testing tool of its own. Dafydd made the excellent decision not to publish a third version of the book, but instead create an online version called the Web Security Academy.
This version is packed with technical information on web vulnerabilities and fantastic online labs, and it is completely free!
A few months ago, Portswigger also released a very interesting certification: Burp Suite Certified Practitioner. A few years ago, Burp implemented an embedded browser, making it very easy to start with hacking websites without the need to configure the proxy settings in the browser.
Burp Suite has three editions:
- Community: Free, but limited in functionality and performance
- Professional: Annual price per user
- Enterprise: An enterprise web scanning solution to compete with web scanning tools like Detectify
Burp Professional has several essential modules:
- Burp Proxy: This module maintains an entire web traffic history, including requested and received HTTP requests with the full HTTP header and HTTP body. Burp Proxy allows to intercept an HTTP request, change it, or send it to other modules, like Burp Repeater, Burp Intruder, and Burp Decoder.
- Burp Repeater: This module allows the penetration tester to repeat an intercepted HTTP request, changing headers and parameters to investigate the HTTP response and learn more about the web application. The penetration tester can remove cookies to check for authentication issues, replace cookies with other values to verify the authorization controls, change the request method, and do whatever is needed to manipulate the application.
- Burp Intruder: This is the most limited module in the Community Edition because it’s the most powerful and most used by penetration testers. It allows to automate thousands of requests with different payloads and can be used to brute-force directories, filenames, usernames, passwords, as well as to exploit vulnerabilities like direct references or broken object-level authorization.
- Burp Scanner: This module is now fully integrated into the dashboard and is no longer separate. Launching a scan is now done by right-clicking on a domain/ URI and selecting Scan. In the scan configuration, it is possible to configure the crawling, the audit mode, the authentication records, and the performance.
- Burp Decoder: This tool is used to decode or encode any string to see the contents like Base64 encoding or MD5 hashing.
One of the best features of Burp Professional is the BApp Store. It allows you to install additional modules from Burp security researchers, bug bounty hunters, or other Burp freaks. Using these extensions, penetration testers can use:
- Authorize to automate testing of authorization controls (Authorize will replay each HTTP request with a different cookie or token of a less-privileged user to learn how the application responds.)
- Turbo Intruder to send a lot of requests simultaneously
- JSON Web Tokens (JWT) to examine the strength of the JWTs used for authentication and see if they are vulnerable to known attacks
- Add Custom Header to add a specific header in each request
- Flow and Logger++ to have complete insight into all the HTTP requests and HTTP responses that are communicated with the application
ProjectDiscovery is a more recent platform maintained by some volunteers who have seed-funding led by SignalFire, with major investors Accel and Rain Capital.
They have some fantastic support from security veterans like Caleb Sima (VP Security Databricks), Gerhard Eschelbeck (former Google CISO), Michael Coates (former Twitter CISO), Jason Chan (Netflix CISO), and Sacha Faust (Senior Manager Security Intelligence at Amazon).
ProjectDiscovery wants to be fully open-source and cloudbased. That is the strength of their platform, since it allows the platform to provide several useful features, such as:
- Chaos: ProjectDiscovery actively collects and stores internet-wide asset data. They already have information on 6 billion internet assets, which can be accessed using their API and their client developed in Go and are available on their GitHub page. In the Go client, it is possible to request all data for a specific domain, like uber.com, which returns the data from the Chaos API instantly, allowing the penetration tester to identify what asset to target. The following are some assets that can be targeted: chaos -d uber.com -silent
- Subfinder: This is a subdomain discovery tool that discovers valid subdomains for a specific target by using passive online sources. Subfinder can be configured with the correct API key to query the following APIs: Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Recon.dev, Robtex, SecurityTrails, Shodan, Spyse, Threatbook, Virustotal, Zoomeye
- Nuclei: This open-source vulnerability scanner was created in Go and is powered by the community. Contributors can add custom vulnerabilities using a description language in YAML, allowing very straightforward and quick updates to the scan templates. These vulnerabilities range from default credentials to unauthorized access and proof-ofconcept for exploits. Many penetration testers have already automated their workflow by using the workflows in Nuclei to deliver consistent penetration tests. The following quote from the GitHub repository elaborates on the matter:
“For Penetration Testers – Nuclei immensely improve how you approach security assessment by augmenting the manual, repetitive processes. Consultancies are already converting their manual assessment steps with Nuclei, and it allows them to run a set of their custom assessment approach across thousands of hosts in an automated manner.
“Pen-testers get the full power of our public templates and customization capabilities to speed up their assessment process, specifically with the regression cycle where you can easily verify the fix.
- Easily create your compliance standards suite (e.g., OWASP Top 10) checklist.
- With capabilities like fuzz and workflows, complex manual steps and repetitive assessment can be easily automated with Nuclei.
- Easy to re-test vulnerability-fix by just re-running the template.”
In the last years, penetration testers have improved their automation skills and cooperation. They share their experience online and use different platforms, like Hack The Box, Web Security Academy, and bug bounty programs to improve their skills.
Because of the complexity of the applications, organizations cannot rely on automated scanners to identify all security issues. A manual approach by a skilled penetration tester with the correct toolset is needed to have a good understanding of the attack surface and the vulnerabilities.