When is Client-Side Penetration Testing Appropriate?
Client-side penetration testing, also known as internal testing, is the act of exploiting vulnerabilities in client-side application programs such as an email clients, web browsers, Macromedia Flash, Adobe Acrobat and others. According to the Symantec Internet Security Threat Report, threat actors are moving away from large and multipurpose cyberattacks on the network perimeter and are more focused on smaller and more targeted attacks directed at web and client-side applications.
Client-side penetration tests are performed to answer the following questions:
- How reliable is the security posture of an organization?
- Are there any vulnerabilities?
- What harm can an attacker do by exploiting these vulnerabilities?
- How can a malicious actor exploit a vulnerability?
- Are the access rights and privileges for employees set correctly?
- How can the detected weak points be closed in an economical and sensible way?
Answering all these questions can provide a realistic picture of the current security posture of any organization. Based on the results of pentesting, additional steps can be taken to enhance the security of an organization if it’s required.
In this article, you will learn how often pentests should be performed, how important pentesting and vulnerability assessments are for client-side security, what information is required for pentesting, and the names of the biggest client-side security vulnerabilities and threats, as well as the damage they caused in 2017. By the end, you will be mindful of some best practices that companies should use to educate their employees.
How Often Should a Company Carry Out Penetration Tests to Gauge Their Client-Side Security?
There is no hard-and-fast rule for an ideal schedule of pentesting. However, the organizations should perform pentesting at any time when one or more of the following situations occur:
- The company location changes
- New IT infrastructure or client-side applications are added
- Changes to the current infrastructure are made
- Security patches are applied
IT Governance recommends Level 1 Penetration Testing after every 3 months, depending on the enterprise’s risk appetite. Level 1 Pentesting attempts to involve automated scans with manual assessments to find vulnerabilities affecting your client-side systems and applications.
On the other hand, Level 2 Penetration Testing is appropriate if your enterprise has a high-value or high-profile. In this scenario, hostile insiders specifically target your organization due to critical information your company hold or the nature of the business. Level 2 pentesting should be performed annually.
For PCI DSS compliance, penetration testing (generally for all type of pentesting) should be carried out at least annually or whenever there is an important modification or upgrade of the IT infrastructure and application programs in use.
Does Client-Side Security Require Vulnerability Scanning or Penetration Testing?
Client-side security requires penetration testing because client-side attacks can quickly compromise your critical assets and information. It is vital to test your employee’s susceptibility and your network’s capability to recognize and respond to the client-side attacks.
On the other hand, vulnerability scanning can be performed if there are known vulnerabilities and the maturity level of the organization is from medium to high.
What Information Can Companies Give Penetration Testers to Get More Accurate Results?
According to Information Supplement: Penetration Testing Guidance, published by penetration special interest group PCI Security Standards Council, penetration tests can be of three types: white-box, black-box and grey-box.
The required information depends on the nature of the pentest. For a white-box pentesting, the client may provide the pentesters with complete information of applications and network. Black-box pentesting may require no details before the test begins. In a grey-box pentesting, the client provides partial details of target systems.
For web application penetration testing, the following checklist includes the information that is most critical for pentesters prior to the pentesting:
- Determine the type of pentest (either black-box or white-box)
- Key objectives of the pentest
- Validating that the authorization letter has been signed.
- Providing URL(s) of the web application(s) and their access rights
- Determine the number of dynamic and static pages
- Testing boundaries (e.g., XXS, hijacking, HTML Injection and Open Redirection)
- Technologies (e.g., NET, ASP, PHP and Apache)
- Any port numbers or VPN
- Web pages that the client wants to be excluded from the test
- Escalation contact
- Web application firewall and any other Intrusion Detection System (IDS) in place
- The timeframe of the pentest (hours and dates)
What Are the Biggest Client-Side Security Vulnerabilities?
One of the biggest client-side vulnerabilities often occurs when an unpatched software exists on a laptop or desktop. A hostile actor could exploit a vulnerable application through a specifically-crafted email or by enticing the employee to visit a malicious web page.
In addition, a vulnerability can exit in the client-side update. This way, the attacker can intercept the updating process to send its malicious code along with the original update. As a result, the employee may download the infected update rather than the original one.
Another notable vulnerability exists due to malware loaded on USB sticks. USB devices often involve malicious executable code or PDF files that are automatically executed once inserted in the victim’s machine.
What Are Some of the ‘New’ Client-Side Security Attacks?
According to an Edgescan 2018 vulnerability statistics report, client-side security attacks contributes 24% to the overall “Application Vulnerability Taxonomy” of their survey. Per the report, various types of client-side security attacks include Cross-Site Scripting (XSS), clickjacking, CORS, form hijacking, HTML injection and open redirection.
Cross-Site Scripting (XSS)
This is one of the biggest vulnerabilities in web applications and is expected to be a major threat throughout the rest of 2018. XSS attacks are the type of injection in which a malicious script (s) is injected into trusted and otherwise benign websites. Therefore, the user’s browser trusts and executes that script because it thinks a script came from the trusted source. Once the script has been executed, it could access session tokens, cookies, or other critical information retained by the web browser.
This is a malignant technique of tricking a user into clicking on something disparate from what the user perceives he or she is clicking on. A malicious clickjack consists of a script or embedded code that executes without the user’s knowledge.
Cross-Origin Resource Sharing (CORS)
CORS attempts to allow all restricted resources on a website to be requested from which a first resource was served. This website may incorporate freely embedded videos, scripts, stylesheets, iframes, and cross-origin images.
Form hijacking is another harmful technique used to exploit vulnerable fill-in web forms for sending spam emails.
Open redirection, also known as an Unvalidated Redirect and Forward Attack, is one of the most commonly overlooked vulnerabilities by web developers. Your website is vulnerable to open redirection if its parameter values in an “HTTP GET” request allow for information that would redirect a user to an arbitrary external domain. Open redirection is opening the floodgates of new phishing attacks nowadays.
How Much Damage Was Caused by Client-Side Security Breaches in 2017?
The 2017 Cost of Cyber Crime Study, a study conducted by the Ponemon Institute and Accenture, examines the total costs that enterprises incur due to cybercrimes, including client-side security breaches. Organizations from seven countries, including the United States, Germany, Japan, the United Kingdom, Australia, France, and Italy were surveyed during this research. The following statistics, taken from this report, show the client-side attacks and the damages they triggered in 2017:
- Web-based attacks caused $12.3 million loss
- Malicious insiders triggered $8.42 million loss
- Phishing and social engineering caused $8.49 million loss
- Malicious code triggered $8.24 million loss
- Stolen devices caused a $4.97 million loss
We are coming to realize that organizations have borne the brunt of client-side security breaches. To prevent such attacks, companies should take defensive measures to train their employees about client-side security issues. The following defensive considerations are critical for companies:
- Companies must ensure that each system and application is properly patched, and if any unpatched machine exists, the employee should immediately report it to security management staff.
- Educate your employees about phishing attacks and ask them not to open any malicious or unwanted links.
- Make employees aware of the fact that they are being monitored constantly and any suspicious activities will be reported to the security management staff.
- Educate your workers regarding the current security trends and client-side attacks. In case of any incident, your employees must be able to detect and respond to it immediately before the attack becomes a serious problem.
- Enhance your endpoint security controls to ensure they are able to detect malicious activities. Employees should also learn about these controls to better understand their organization’s security posture.
- Make periodic audits to ensure that each employee is adhering to the rules and regulations regarding client-side security. For example, your employees must not trust any redirected page other than that which he is trying to visit.
- Do not use HTTP. If you want your employees to be safe when visiting websites, you need to utilize SSL (HTTPS).
- Sandbox potentially malicious iframes. If companies use iframes to load contents from external websites, they may need to secure these iframes too.
- Educate your employees to periodically delete history, cache, cookies and form autocompletion.
How often should I schedule a penetration test?, IT Governance
2018 Vulnerability Statistics Report, Edgescan
What are client-side attacks?, NTT Security
Pre-engagement Pentest Checklist for Web Applications Assessment, Penetration Testing Lab
Information Supplement: Penetration Testing Guide, PCI Security Standards Council
Ethical Hacking and Penetration Testing Guide, Rafay Baloch