Site security audit through the eyes of the customer

In this topic, I want to tell you how a commercial security audit of a site goes, what is the difference from bounty programs and the “free draft”.

So, the client has a website, in which he wants to be sure of safe operation. First of all, many try to investigate their site for vulnerabilities and the possibility of hacking - for example, using online services, free utilities and tools. Many clients come already after the fact, when their site was compromised by hackers. Here, besides treating an infected site, the client has a natural desire to minimize the possibility of re-hacking the site.

The main purpose of security audit

The main purpose of a comprehensive audit of site security is to identify all vulnerabilities and weaknesses in the site. Website audit in the BlackBox mode simulates a real hacker attack on the customer's site without destructive consequences. Site security audit for vulnerabilities is a powerful tool for ensuring information security of a resource. This is a set of work to identify errors in the site code and server software, which can be used by attackers to attack and hack the site. As a rule, these works include activities: scanning a site for vulnerabilities, manual analysis of site content, searching for and identifying errors in the logic of the scripts and components of a web application.
')

BlackBox Security Audit

The penetration testing process involves simulating the real actions of an attacker - finding security vulnerabilities and their subsequent exploitation. The penetration test provides an independent assessment and expert opinion on the state of protection of the information system. The audit of a resource (web components and web environment) is performed using the BlackBox method and includes the following steps:

• Passive information gathering;
• Definition of the web environment;
• Platform definition;
• Determining the type of CMS;
• Port scan;
• Banner collection / search for public exploits;
• Auto scan;
• Identifying the bottlenecks of the resource;
• Data analysis;
• Manual analysis in passive mode;
• Collection and analysis of the information received;
• Analysis of attack vectors;
• Confirmation of received vectors;
• Compilation of a report.

Resource actions:

• Search for server component vulnerabilities;
• Search for vulnerabilities in the web server environment;
• Check for remote execution of arbitrary code;
• Check for overflows;
• Check for injections (code injection);
• Attempts to bypass the web resource authentication system;
• Check web resource for XSS / CSRF vulnerabilities;
• Attempts to intercept privileged accounts (or sessions of such accounts);
• Attempts to produce Remote File Inclusion / Local File Inclusion;
• Search for components with known vulnerabilities;
• Check for redirects to other sites and open redirects;
• Scanning directories and files using brute force and "google hack";
• Analysis of search forms, registration forms, authorization forms, etc .;
• Checks resource for the possibility of open receipt of confidential and secret information;
• Attacks class race condition;
• Selection of passwords.

What begins

Non-Disclosure Agreement or NDA . With each client, a non-disclosure agreement is signed, regardless of the object and purpose of the audit. Any company that values ​​its reputation will not, a priori, distribute confidential information about its customers, but this Agreement will provide an additional guarantee. Moreover, during an audit, an attacker (the Contractor) may gain access to critical data, trade secrets, etc.

Validation of legitimacy. It is extremely important for the contractor to have confirmation of the legality of the security audit - i.e. The customer must be the owner of the site. In any other case, including the “free-drawing”, when enthusiasts research other people's web projects for vulnerabilities, the actions of the attacking side fall under article 272 of the Criminal Code of the Russian Federation. As for the Bug-bounty programs, the description usually indicates the enumeration of resources and permitted actions. In a commercial audit, the customer usually adds specialized markers - confirmation of the legitimacy of actions on the site; or certifies permission to conduct an audit of the document.

As a result - a contract for the provision of services is made, containing:

• audit objects (listing of resource addresses);
• regulations and terms of work;
• special requirements (for example, do not check * backup resources).

How is going

A prerequisite is the availability of backup copies of audit objects that are outside the audit perimeter. As a rule, the best option is to deploy a test bench.

Also, contact customer technical specialist for direct interaction during the audit. Although many companies try not to inform the technical staff about the audit, nevertheless, such contact is extremely necessary - the IP addresses of the attacking side and the accounts from which the research is being conducted are communicated to it. Throughout the entire audit process, direct interaction with the contractor takes place.

Total

According to the results of the site security analysis, the customer receives a detailed report on the identified vulnerabilities, vectors and attack scenarios, as well as recommendations for their elimination. The report contains a description of the model of the offender, the classification of vulnerabilities, the audit methodology, and examples of attacks on the identified vectors. The language of the report (Russian, English, etc.) is agreed upon at the stage of signing the Treaty. Consultation of the technical side of the customer is carried out after the end of the audit and the receipt of the report by the customer. In the intricate attack vectors, the customer can be presented with a video recording (screencast) of the attack vector implementation.

Summing up, it is worth noting that a high-quality site security audit allows the customer to ensure the security of the service and ensure uninterrupted operation of its resource at a high level, minimizing the risks of compromise and preserve its reputation.