undefined | Better HN

0 pointsdylan6042y ago0 comments

I recently ran into something along the lines of your devolved pentest concept. I have a public facing webapp, and the report came back with a list of "critical" issues that are solved by yum update. Nothing about vulnerability to session jacking or anything along the lines of requiring actual work. I was a few steps removed from the actual testing, so who knows what was lost in translation and it being the first time I've ever had something I worked on pen tested. However, I feel this was more of a script kiddie port scan level of effort vs actually trying to provide useful security advice. The whole process was very disappointing.

0 comments

alaxapta72y ago

I've seen worse. Couple years back, there was an audit that included an internal system I've been working on. It was running on Debian oldstable because of a vital proprietary library I wasn't able to get working on stable at the time, but it had unattended upgrades set up and all that.

The company made some basic port scan and established that we're running outdated and vulnerable version of Apache. I found the act of explaining the concept of backports to a "pentester" to be physically painful.

They didn't get paid and another company was entrusted with the audit.

pixl972y ago

This is why I always attempt to turn off as much version information output as possible from any service. Make the pentester do their homework and not just look at "Apache 2.XX"

Hopefully you also have an internal control that looks at actual package versions installed on the server.

alaxapta72y ago

Normally I do that too, but this was fairly new and internal application that was still in development, so that's why it was there. And if it wasn't for this incident, they might actually trick our management into thinking they're somehow qualified to carry out such an audit.

dylan604OP2y ago

This is actually a take away that I did implement. it's one of those that's not actively a vuln, but might provide info on what other attacks to try.

im3w1l2y ago

How behind on yum updates were you anyway?

dylan604OP2y ago

not very. i guess i was too cavalier in hand waving it as a yum update. some of it was switching to a new repo with the most recent version available. but that was still just using yum. not like it required changes to the code base and workflow. maybe it was an amazon-linux-extras command for the actual package change, but still.

j / k navigate · click thread line to collapse

0 pointsdylan6042y ago0 comments

0 comments

alaxapta72y ago

They didn't get paid and another company was entrusted with the audit.

pixl972y ago

This is why I always attempt to turn off as much version information output as possible from any service. Make the pentester do their homework and not just look at "Apache 2.XX"

Hopefully you also have an internal control that looks at actual package versions installed on the server.

alaxapta72y ago

dylan604OP2y ago

This is actually a take away that I did implement. it's one of those that's not actively a vuln, but might provide info on what other attacks to try.

im3w1l2y ago

How behind on yum updates were you anyway?

dylan604OP2y ago

j / k navigate · click thread line to collapse