Inside a penetration testing shop

Its one thing to build Nessus on your Linux box, click all tests on, enter a target IP, click go, and watch the test progress bar grow. After hundreds of thousands of Ethernet TX/RX LED flickers, Nessus will present you with a nicely formatted report of any and all vulnerabilities it discovers - including an inevitable rash of false positives. It is an entirely different thing to get a well trained and well equipped team of white hat hackers to try and bust into your critical web based systems. Do not get me wrong, Nessus is a spectacular information security tool, but just as people are better than computers at playing the game of go, people are better than automated tools at uncovering system vulnerabilities. This is especially true in the realm of web application vulnerabilities, an area where the available tools have not reached the level of sophistication that Nessus and its commercial counterparts have for general remote host audits.

Jeremiah Gossman has a column on BetaNews that gives an inside look into his web application security outfit, WhiteHat Security. Here is an excerpt.

"With the necessary paperwork signed and account credentials generated, we were ready to go. The URL and username/password were revealed to the racers and the symbolic green flag dropped. The next several seconds we heard nothing but mouse clicks and keyboard tapping.

From past experience we've learned that the fastest way to victory is to target the search boxes first and try for a speedy XSS win. Search boxes are notorious for such insecurities. It's a cheap trick, but it works. Next, it's best to look for input parameters and determine if any of them echo URL query data, indicating another potential spot for XSS.

The first 60 seconds of the race flew by. Nervousness set in because we knew that at any moment someone was going to claim speed-hack victory. Bill Pennington (WhiteHat's VP of Services), in what is becoming a trend, identified the first vulnerability (XSS) in about 1 minute 30 seconds. In classic style, we cried foul because he could arguably only exploit himself with XSS and represented no further risk."