First let me define “NetSec” as a professional, full scope, network penetration tester hell bent on punching holes in your organization’s network. I’ve come to an interesting conclusion recently after working with and discussing web application exploitation with NetSec folks. Often they are simply doing it better.
Would you consider annotating a finding in a pen-test report whose title was something like “Cookie is missing an HttpOnly flag”? If you answered yes you probably work in modern day application security.
It is almost a thing of beauty to watch the NetSec guys I know attack an application. The mind-set is different from those of us in AppSec. They aren’t looking at all the components of the web application in the way that we AppSec guys are. To them it is just another potential opportunity to punch a hole in the network. They get tunnel vision and it works.
Take the following scenario for example. During a penetration test, we may have found a weakness in the application where the code behaves strangely and allows us to access another user’s information. When we do, we find it holds data that is classified as Private Personal Information (PII) but really it is data that two seconds on Google or some quality time with Maltego would uncover just the same.
While the previously mentioned scenario could be thought of as slightly dangerous, the database is still out of our reach; client-side systems are still safe from us yet we would probably consider this finding a high-risk one and report it as such (PII and all).
Now consider the mentality of a network penetration tester going up against a web application. These folks are not concerned with the application’s design flaws unless it directly leads to something they can use to further their goal. The application is nothing more than a stepping-stone.
From the words of a full scope penetration tester, [It is about] “finding something in the app that allows access to the network or a chink in the armor, information leakage, a credential to use, a directory listing or directory traversal, XSS that can be used for a client-side attack, admin bypass to get access to the app to get DB strings, and of course SQLI to extract tasty data, etc”.
My interpretation of that statement is, “if it doesn’t allow me to get in, take away sensitive data or exploit client-side systems I’m not interested”.
I find it fascinating that if, generally speaking, I ask a fellow AppSec colleague about a new SQLi exploitation tool or some script written to help with some form of web exploitation I get a shrug. If I fire up an IM session with a NetSec friend they seem to know immediately what I’m talking about.
I propose that these folks are paying more attention to a smaller amount of flaws but only flaws that are critical in severity. NetSec seems to be spending much more time focusing on various techniques for exploiting this subset of vulnerabilities.
Whether an assessment approach is better than a penetration test approach is not at all what this article is about. Argue amongst yourselves about the value of varying methodologies.
Bottom-line, if you are an application security consultant stuck while trying to compromise an application, ask your network pen-test friends for help. The difference in perspective helps us break out of a narrowed field of vision and might lead to some serious 0wnage.