If you are a ethical hacker, bug hunter or penetration tester, you know that time is money. Gathering information, scanning vulnerabilities, finding a bug and writing reports can be a time-consuming and boring task. So we have prepared this list with the most common vulnerabilities that are reported frequently. This can save you some budget.
1. LOGIN/LOGOUT/NEWSLETTER CSRF
This is often reported as best practice but 99% of these reports are harmless and do not describe a real security risk.
Implement a CSRF protection mechanism that applies to all forms and even protects logged out users. This will also protect against CSRF on newsletter subscription forms.
2. SSL CERTIFICATE ISSUES
Some websites require a specific SSL setup and are intentionally vulnerable to some low severity SSL attacks. Make sure to check your SSL security at the following two sites:
https://www.digicert.com/help/
https://www.ssllabs.com/ssltest/
If your company is vulnerable to a very specific SSL attack and you do not want to fix this because the likelihood of such an attack happening is very low make sure to mention this in the program policy.
Make sure that your SSL connection is completely secure, you’ll already get a lot of input from the tests mentioned above.
3. REFERENCES TO INTERNAL SERVICES/IP
Make sure that no internal IP/hosts are being disclosed publicly, this often happens in response headers, comment sections in code.
Load balancers often inject a comment at the end of an HTML page, make sure this is turned off.
Take a look at where this might occur and then remove it. Not every website deals with this and this is often caused by a third party application, so if you don’t find all leakages, no problem, the researchers will.
4. UNNECESSARY HTTP HEADERS
It often happens that services/plugins inject their own headers into the HTTP response. Causing sensitive information about your internal services being leaked to the outside world.
Check the headers in the raw HTTP response, if you notice some headers leaking information about an internal service, like X-powered-by, then make the proper changes to remove this header from the HTTP response.
5. DEFAULT INSTALLATION FILES STILL ON PRODUCTION SERVER
It happens more than often that installed plugins/services have default files that disclose a lot of information, e.g. an install path, version numbers,..
Check all folders of services/plugins and disallow public access for these default files.
6. WEAK PASSWORD POLICY
Some websites still allow users to use very simple passwords like “1234”.
Make sure you force users to use a strong password. Follow the OWASP secure password guidelines to make sure you’re using a good password policy.
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Complexity
7. DIRECTORY LISTING ENABLED
Some old or poor configured webservers tend to list the content of directories, it happens that backups or sensitive files are found this way.
Make sure that directory listing is disabled everywhere, this should be an easy configuration in your webserver.
As you know the cyber attacks is growing exponentially and statistics say that more than 4 million skilled professionals are missing from the sector.
Fortunately, to attend this demand, several tools are beginning to emerge that help the work of these ethical hackers. After all, as the workforce grows at lower levels than attacks, it is necessary to optimize and increase the efficiency of these professionals.
Skuudo is one of these new generation tools that promises to help ethical hackers in their daily work. Many of the boring manual tasks that consume a large part of a bug bounty program for example can be automated by this tool, such as writing reports, scanning for vulnerabilities or gathering information.
We are now looking for beta testers to test and help us make the initial improvements before the official launch. This can be your chance to get discounts and perks once the tool is completed. You can get early access now on the Skuudo’s website.
