Penetration testing within Latvian institutions
Recently we’ve started co-operation with “Digital Security Alliance“, doing series of white-hat hacking to reveal security issues within government institutions and private sector. One week & many sites, servers were found to be vulnerable. Sites that include personal information (clients, their addresses, unencrypted passwords etc.). The same information that motivated us to start this checkup in the first place. We’ll review one that has already been solved with communication involvement from CERT in order to solve the vulnerability faster.
When first starting this checkup, we had no particular targets in mind — what we decided to use, was a Google Dork that could lead us to some websites and servers with potential issues. We defined the area, keywords, and went through the results.
By checking the results, vulnerabilities of many kinds came in one by one. Directory traversal, HTTP parameter pollution, XSS and of course, SQL injections were nothing uncommon. Even websites that by design look professionally made, had problems with security. Also, taking in consideration the fact that PHP together with MySQL is evolving fast and have preparation statements that protects from SQL injections at some level, there’s still so many of them openly available.
It takes only few moments to retrieve information from a database, and assure that it’s vulnerable. From there it’s up to the attacker how the information and access is used. For sites that store passwords plain-text, they usually are stored together with e-mails. Does your e-mail password stay the same on sites and e-mail itself?
As the issue was detected and proved to be working, we openly contacted the institution. It was a pleasure to see that government sector is interested in such issues (we received three calls within few hours). By one week, issues were resolved.
The main takeaway here is: no matter whether your system is based on open-source platform or a custom made one, programmers do make mistakes. That can be due to lack of time or sleepless nights, but mistakes are made. Just as recently worlds largest CMS WordPress had two major issues fixed in the version 4.6.1. Tens of thousands users weren’t aware that their site and server is accessible by pretty much everyone with the right skills and tools.