When was your last penetration test?

Penetration testing is an essential tool in the armory against hackers and a practical way to verify your website security. During a penetration test the security of your web site will be evaluated by simulating an attack from malicious hackers. The penetration tester will analyze and probe your website for any potential vulnerabilities and weaknesses.

Although from a theoretical point of view you may consider your website security to be sufficient, a penetration test will prove this in an empirical way. It is therefore important that website owners and system administrators ensure that penetration tests are performed at least on an annual basis.When was your last penetration test?

For websites/organizations with the Payment Card Industry Data Security Standard (PCI DSS) certification (an information security standard for organizations that handle debit and credit cardholder details) a lack of penetration testing will result in accreditation being withdrawn.

During a penetration test the tester (also known as a Qualified Security Assessor or QSA for short) will attempt to breach the website security using a number of different methods and tactics:

  • URL manipulation – Most websites use complicated URLs to perform the various website functions like searching, purchasing, sign in, sign out and adding comments or user reviews. The QSA will manually manipulate these URLs to try and perform unauthorized actions or to gain access to restricted sections of the website.
  • SQL injection – Entering SQL statements into a web form in order to gain access to the underlying database or to provoke an error which reveals data and structural information from the database tables.
  • Cross-site scripting – Attempts to bypass the website security mechanisms by injecting scripts (often Javascript) into the web pages. If successful the QSA can gain elevated access-privileges to restricted parts of the website.
  • Session hijacking – The use of a variety of techniques to trick the web site into thinking that a request has come from a valid, authenticated user. Such tests include hijacking cookies and using packet sniffers to find session information sent to a validated user.
  • Web server configuration – Tests on the configuration of the web server including file permissions and access privileges.

There are different levels of penetration testing depending on the amount of implementation details known by the tester. In black box penetration testing the QSA has no prior knowledge of website being tested. This means that the QSA must analyze the website to understand its structure and components (how the web site is deployed, what database it is using, what web server etc). With white box testing the QSA is given extensive information about the website including its source code and database information.

Black box testing closely simulates an attack from a hacker who is not familiar with the website, where as white box testing simulates what might happen during an attack from a disgruntled employee or after the website details (possibly including the source code) have been leaked.

Indifferent to the type of penetration test performed, the results will ensure that your website has been probed, analyzed and tested to withstand the onslaught of malicious hackers.

© 2011 – ArtSec Group LLC