Finding and reporting vulnerabilities

Recently Northwaver Thomas published a blog about the research he did on a Content Management System called Bloomreach Experience Manager (find it here). Based on this blog a new question arose: how exactly does the process of finding and reporting these vulnerabilities work? In this blog, we answer that question for you.

Considering you know what a penetration test is, let’s dive into the process after a customer requests a penetration test from Northwave’s Red Team (if not, try reading this first). Initially, an intake meeting will be held with the client. During this meeting the details of the requested test will be determined, such as the type of test, test dates and the scope of the test. The scope also indicates what needs to be tested (networks, systems, websites, mobile apps or any other type of software). After this, the pentest can start. During a penetration test one or more of our Red team members will try to find vulnerabilities within the system or applications.

Finding vulnerabilities

So, how are vulnerabilities found exactly? There are several guidelines that are followed, these are agreed upon before starting the test. The pentesters are using some extensive checklists during their work, which are based on industry wide accepted standard and guidelines. But being a good pentester requires more than just knowing how to follow a step-by-step guide. Even though the repetition of the checks is a big part of the process of getting familiar with the way vulnerabilities can be spotted, a pentester often creates an eye for finding vulnerabilities. Thomas explains that it is hard to pinpoint how one can recognise that there might be a vulnerability. “Some things are more obvious, like the way an URL is constructed. Others are more subtle and require more expertise to be spotted.”

During a project, clear boundaries are set with regards to what can be tested and what is off-limits. However, pentesters often have an intrinsic need to protect the online space and report vulnerabilities, whether this is part of a project or not. For this reason, there are guidelines on how to go about this. It is technically not allowed to ‘randomly’ start testing to see what information can become available. But there are NCSC guidelines that indicate how to test in a responsible way. The goal of the NCSC’s guidelines is to increase safety in the ICT environment in a respectful and ethical way.

“The intention with which you decide to act on it is key. Once the decision is made to explore the vulnerability, the initial step is to determine whether there is indeed a security issue. This can be done by carefully sending out a minimal impact request and not gather more information than needed, as indicated by the NCSC guideline. If after a test I see that I receive certain values or I get access to certain data that should not be accessible. The next step is to get in contact with the developer or the company that it concerns to present them with my findings”, mentions Thomas

When the company is contacted with the information that there is a vulnerability, there is often a waiting period to allow the company to fix the vulnerability. The duration of this waiting period differs from situation to situation. It is important for a pentester to not publish their information online yet as this exposes the vulnerability to a wide public. When the waiting period is over, the pentester often does publish the information online. These publications are popular for other pentesters to read and serve as a way to learn new skills through the experience of others. This way, experts as well as skilled amateurs work together to keep the web safer.

Curious to read more about what goes on behind closed doors at Northwave, then read our other blogs here.