Think about what wasn’t developed by the pros
A few years ago I was testing an e-commerce system that had just been rewritten by an outsourced vendor. I was asked to identify possible security errors in their implementation. As part of that testing, I looked at the HTML, tried some basic SQL injection, and did some URL manipulation. All the basic tests I could think of were failing. Before moving on to the big guns - setting up tools and writing some custom scripts to try different things - I decided to step back and ask some simple questions.
This site had been rewritten by a company that specialized in secure web development. Looking at the code, you could tell these guys knew there stuff. I could spend days or even weeks testing this site before I found anything. I knew that. Instead of attacking the site to get what I wanted, I asked what this outsourced team likely didn't develop. What would the company be too cheap to outsource? What would they feel like they could do themselves?
Within minutes I had a show stopper issue. I could access every item I wasn't suppose to.
The company had not outsourced the development of the search function on the site. It had been a guess. Everyone thinks they can develop a good search feature - even though few actually can. When I searched for an item to purchase, all the results came back referenced using their primary key in the database. I knew that because of the creative variable naming of "pk=". Armed with this information, I was able to do some pattern matching and noticed that the key was used in the URL in certain places. From there, I could access whatever I wanted.
June 17th, 2009 - 11:14
“The company had not outsourced the development of the search function on the site. It had been a guess.”
I makes a lot of sense to determine who developed what.
But why did you guess, rather than asking the company specifically?
June 17th, 2009 - 16:30
The fact that I could find an issue in under two hours of total testing time, without asking the team any questions about the work they had done, is more influential about the severity of the issue than if I had played twenty questions and then tested.
If I had that information to start with, the issue I found potentially becomes “ignorable data.” Someone can say, “No one would really think of that.” By not asking, I demonstrate that people really do think that way. It’s difficult to ignore. With little to no information, I found the issue in under two hours. Check and mate.
I also think it’s part of cultivating the mindset of someone trying to penetrate a site. I think if you’re serious about security testing, that has to be something you’re good at. I’m not as good at it as I’d like to be, but I always want the practice when I get the chance.