Jake Reynolds

Jake Reynolds graduated with a Bachelors Degree in Computer Science from the University of Minnesota, Twin Cities with a focus on enterprise web development. In his role at NetSPI, Jake is responsible for leading Resolve's product strategy and ensuring it exceeds the needs of our customers. Previous to this role Jake was a Principal Security Consultant helping lead internal R&D and application penetration testing services at NetSPI.
More by Jake Reynolds
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "31"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "31"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{19f7c9ed5995b7d849c2a48dc0bac56dd09d7bc0d1b5ce9f824f0fcb71b04fc1}\"31\"{19f7c9ed5995b7d849c2a48dc0bac56dd09d7bc0d1b5ce9f824f0fcb71b04fc1}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{19f7c9ed5995b7d849c2a48dc0bac56dd09d7bc0d1b5ce9f824f0fcb71b04fc1}\"31\"{19f7c9ed5995b7d849c2a48dc0bac56dd09d7bc0d1b5ce9f824f0fcb71b04fc1}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 25368
                    [post_author] => 53
                    [post_date] => 2021-05-13 07:00:49
                    [post_date_gmt] => 2021-05-13 07:00:49
                    [post_content] => 

Over time, the way we view cyber security risk has evolved the penetration testing industry. What once was a static laundry list of vulnerabilities to remediate is now a risk-based vulnerability management program. Modern penetration testing should provide more than a list of vulnerabilities. To be effective, it must guide organizations to effectively prioritize the vulnerabilities, assets, networks, etc. that pose the highest risk to the business.

In this webinar, NetSPI’s product team, Jake Reynolds and Cody Chamberlain, will discuss:

  • How risk has evolved in penetration testing  
  • The role of risk scoring in intelligent prioritization of security activities  
  • The factors that impact a risk score 
  • Pragmatic steps to take after you receive a risk score
[post_title] => The Evolution of Risk-Based Vulnerability Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => evolution-of-risk-based-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-06-24 12:33:53 [post_modified_gmt] => 2021-06-24 17:33:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25368 [menu_order] => 4 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 20655 [post_author] => 31 [post_date] => 2020-12-08 07:00:36 [post_date_gmt] => 2020-12-08 07:00:36 [post_content] =>

PTaas Pro is now offered as part of AppSec as a Service. Learn more about AppSec as a Service.

During our penetration testing engagements, we frequently hear from clients that it is difficult to manage the large volume of vulnerabilities we discover. While on the one hand, this is what we are hired to do, for our clients, it poses some challenges. Now, with Penetration Testing as a Service (PTaaS) we’ve made it easier than ever to consume, understand, and manage the large number of results we deliver to our clients with our penetration tests. And with PTaaS+, we’ve extended those benefits by directly integrating with your ticketing systems and allowing you to perform the full remediation lifecycle inside of Resolve™, our threat and vulnerability management platform.

What are you supposed to do when NetSPI isn’t the only source of vulnerability discovery for your organization? It’s extremely important to correlate and deduplicate vulnerabilities from all your data sources, not only to reduce noise but to save frustration from your engineering teams by reducing duplicates and false positives, and providing consistent, up-to-date guidance.

PTaaS Pro solves this problem by providing Resolve’s full suite of Threat and Vulnerability Management capabilities to our penetration testing clients. PTaaS Pro is an extremely valuable tool for security programs of all sizes, and provides many benefits, including:

Manage Internal and Third-Party Vulnerabilities

PTaaS Pro gives you the ability to manage all your organization’s vulnerabilities, not just those that NetSPI discovers. Yes, that even means vulnerabilities discovered by our competition. Resolve can integrate with over 30 vulnerability scanners, your CMDBs, and all your internal ticketing systems to have a consolidated warehouse for all vulnerabilities.

Reduce In-house Penetration Testing Times by up to 30 Percent

Resolve is a powerful tool for internal penetration testing teams, allowing them to coordinate project management for tests, standardize and enforce processes through checklists, correlate and deduplicate their automated and manual findings, and generate reports with the click of a button. One of the reasons NetSPI performs the highest quality penetration testing in the industry is because Resolve removes the hassle from testing, allowing your team to focus on finding vulnerabilities.

We’re More Than a Vendor – We’re You’re Partner

When launching PTaaS Pro with your organization, NetSPI connects you with our team of industry experts, including former CISOs, vulnerability managers, and security experts. Together we work to integrate Resolve and NetSPI into your security processes. Every step of the way you’ll have access to first-hand experience and guidance on how to optimize and improve your security program.

PTaas Pro is now offered as part of AppSec as a Service. Learn more about AppSec as a Service.

[post_title] => Introducing PTaaS Pro: The Smart Solution to Penetrating Testing and Vulnerability Management [post_excerpt] => During our penetration testing engagements, we frequently hear from clients that it is difficult to manage the large volume of vulnerabilities we discover [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => introducing-ptaas-pro-the-smart-solution-to-penetrating-testing-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-05-25 14:11:09 [post_modified_gmt] => 2021-05-25 14:11:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20655 [menu_order] => 72 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 20097 [post_author] => 31 [post_date] => 2020-10-22 07:00:13 [post_date_gmt] => 2020-10-22 07:00:13 [post_content] =>

The PTaaS+ features listed within this blog post are now offered with any NetSPI service that leverages PTaaS. This excludes ticketing integrations, which are available for an additional cost. Connect with sales@netspi.com to learn more.

NetSPI is focused on creating the next generation of security testing. Our Penetration Testing as a Service (PTaaS) delivers higher quality vulnerabilities, in less time than any other provider and we are now expanding these benefits into your remediation lifecycle.

This month we’re expanding your options with our PTaaS+ plan, which focuses on vulnerability management and remediation. With our base PTaaS plan, we deliver vulnerabilities the same day they are found, now with PTaaS+ you and your team are empowered to act upon and begin remediating them immediately, decreasing your time-to-remediation by up to 1 month for high severity issues. A couple of key features contribute to this new functionality:

Ticketing Integrations

On average, we report over 50 vulnerabilities on a regular web application test, that number jumps above 700 when we perform external network testing. When receiving so many vulnerabilities, making sense of it all can be a full-time job before you even get to remediating them. With PTaaS+, we offer free integration with Jira or Service Now to easily get the vulnerabilities into your tools and into the remediator’s hands on day zero.

Remediation Assignments & SLAs

After receiving a large number of vulnerabilities, the first step is assigning a due date for remediation based on vulnerability severity. PTaaS+ allows each severity to be assigned a timeframe in which it must be remediated from the delivery date. NetSPI’s standard recommendation is:

  • Critical – 30 days
  • High – 60 days
  • Medium – 90 days
  • Low – 365 days

However, these can be customized to fit your organization’s policies. Additionally, with PTaaS+, you can assign vulnerabilities to specific users, letting you track and delegate vulnerabilities throughout the remediation lifecycle.

Vulnerability Customization

After delivering vulnerabilities, one common point of discussion is NetSPI’s severity rating vs. an organization’s internal vulnerability rating. Every organization rates vulnerabilities differently and to help with that, PTaaS+ allows you to provide an assigned severity to all vulnerabilities, from which your remediation due dates can be calculated. Both NetSPI’s and your severities will be maintained for auditing and future reporting.

Data Analytics

After you have a handle on your remediation processes, you can start looking for trends to ensure fewer vulnerabilities next year. PTaaS+ grants you access to NetSPI’s Data Lab which allows you to analyze and trend vulnerabilities across all your assessments with NetSPI. Popular data lab queries include:

  • Riskiest asset in your environment
  • Most common vulnerabilities across your company
  • Top OWASP categories

The PTaaS+ features listed within this blog post are now offered with any NetSPI service that leverages PTaaS. This excludes ticketing integrations, which are available for an additional cost. Connect with sales@netspi.com to learn more.

[post_title] => Introducing PTaaS+: Decreasing Your Organization's Time to Remediation [post_excerpt] => NetSPI is focused on creating the next generation of security testing. This month we’re expanding your options with our PTaaS+ plan. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => introducing-ptaas-plus-decreasing-your-organizations-time-to-remediation [to_ping] => [pinged] => [post_modified] => 2021-05-26 00:13:22 [post_modified_gmt] => 2021-05-26 00:13:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20097 [menu_order] => 82 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 19891 [post_author] => 65 [post_date] => 2020-10-07 07:00:50 [post_date_gmt] => 2020-10-07 07:00:50 [post_content] => On October 7, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds were featured in Cyber Defense Magazine: With Continuous Integration/Continuous Deployment (CI/CD) increasingly becoming the backbone of the modern DevOps environment, it's more important than ever for engineering and security teams to detect and address vulnerabilities early in the fast-paced software development life cycle (SDLC) process. This is particularly true at a time where the rate of deployment for telehealth software is growing exponentially, the usage of cloud-based software and solutions is high due to the shift to remote work, contact tracing software programs bring up privacy and security concerns, and software and applications are being used in nearly everything we do today. As such, there is an ever-increasing need for organizations to take another look at their application security (AppSec) strategies to ensure applications are not left vulnerable to cyberattacks. Read the full article for three steps to get started – starting on page 65 of the digital magazine here. [post_title] => Cyber Defense Magazine: 3 Steps to Reimagine Your AppSec Program [post_excerpt] => On October 7, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds were featured in Cyber Defense Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-defense-magazine-3-steps-to-reimagine-your-appsec-program [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:08:43 [post_modified_gmt] => 2021-05-04 17:08:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19891 [menu_order] => 87 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 19786 [post_author] => 2 [post_date] => 2020-09-10 14:52:02 [post_date_gmt] => 2020-09-10 19:52:02 [post_content] =>

This session was originally shown at Black Hat USA 2020.

A successful Application Security Program requires a happy marriage between people, processes, and technology.

Watch this on-demand session to:

  • Learn how leading organizations use different discovery techniques as part of their AppSec program
  • Understand strengths and weaknesses of common AppSec vulnerability discovery technologies
  • Adopt techniques that make security frictionless for your developers as they embrace a DevSecOps culture
  • Learn how functional your application security program can be with a “makeover” to:
    1. Enhance your reporting to empower leadership to optimize your appsec program
    2. Improve your vulnerability ingestion, correlation, and enrichment
    3. Increase your speed to remediation
[post_title] => Extreme Makeover AppSec Edition [post_excerpt] => Did you miss Black Hat USA 2020? Watch our webinar, "Extreme Makeover: AppSec Edition," by NetSPI's Managing Director, Nabil Hannan, and Product Manager, Jake Reynolds, on-demand now. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => extreme-makeover-appsec-edition-black-hat-2020 [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:54:24 [post_modified_gmt] => 2021-06-02 08:54:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=19786 [menu_order] => 26 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 18462 [post_author] => 31 [post_date] => 2020-04-21 07:00:16 [post_date_gmt] => 2020-04-21 07:00:16 [post_content] =>

The process of assessing third-party penetration testing vendors is the start of a long-term relationship that is core to your security testing program. It’s critical to find a vendor that can both conduct and operationalize these testing programs to scale across the smallest and largest of security organizations. This can only happen when a testing service provider is technology-enabled and can plug into any environment.

At RSA in February, NetSPI launched Penetration Testing as a Service (PTaaS). PTaaS is our unique delivery model that provides our Threat and Vulnerability Management (TVM) platform, Resolve™ to our customers on every engagement. PTaaS is designed to provide best-in-class TVM solutions, by default, for every test. Starting with the first engagement, all vulnerabilities are correlated, deduplicated, and delivered directly through Resolve™. As the testing grows, the entire suite of product functionality can be added so all of an organization’s internal and third-party testing programs can be viewable in Resolve™.

In this two-part blog, we will first review existing features that come standard with a penetration test through PTaaS. Then, in the second blog in May, we’ll discuss additional and upcoming functionality that exists to scale Resolve™ across even the largest organizations.

Program Management

The entry point into Resolve™ is the Program Management Dashboard, which helps orchestrate all testing activities that are ongoing and have been completed in the platform. At the top, you will see new vulnerabilities trending over time and by hovering over them, you can see the efficacy of each testing method. This helps identify what was found through manual penetration testing versus our proprietary multi-scanner orchestration and correlation tool, Scan Monster™, versus a traditional single network scanner.

On this same Program Management Dashboard screen, you can see the Services Overview, which aggregates all projects in Resolve™ into a matrix via Project Type and timeframe. For example, the top left card in this overview represents all Web Application Penetration Tests performed in Q1 2020. Additional detail such as scoping and vulnerability information can also be found on this card.

Projects

By clicking into one of these cards in the Services Overview, you will be taken to the Projects grid, where each project’s details can be viewed. Selecting a project will bring up all information related to that project at-a-glance, where you can view information including recent activity and comments, users assigned to the project, and project scope and definition. All communication for the project flows through this page. The project entities are also available here, along with important information like the findings discovered during the engagement and the assets that were included in the test. An asset typically relates to a unique IP address or URL.

Findings

The Findings tab will display all vulnerabilities discovered during the engagement. These findings can be searched, sorted, and filtered directly in this grid, as well as globally. Selecting a row will bring up a wealth of information about that finding.

The finding details present everything a developer would need to know to understand this type of vulnerability, including the overall severity, description, business impact, and remediation instructions for that issue, as well as what CVEs and OWASP categories are associated with that vulnerability.

Selecting the instances tab will bring up all the unique locations this vulnerability was discovered on this asset.

Instances

Inside an instance will be all the information needed to identify the specific vulnerability, including the affected URL and port and what parameters were used in the attack, along with step-by-step verification instructions. These instructions detail how to reproduce the vulnerability so developers can quickly understand and remediate it.

Concluding Thoughts

All these features are available at both the project and global levels. Users can filter, search, and globally prioritize all vulnerabilities and assets that exist in Resolve™. NetSPI has performed our penetration testing services in Resolve™ for over a decade and currently host 50+ million vulnerabilities for our clients – a number which is rapidly increasing.

Be sure to check back in late May for our part two in this series where we’ll discuss additional and new functionality that exists to scale Resolve™ across even the largest organizations.

To learn more about PTaaS, see the below resources:

[post_title] => Penetration Testing as a Service – Scaling to 50 Million Vulnerabilities [post_excerpt] => The process of assessing third-party penetration testing vendors is the start of a long-term relationship that is core to your security testing program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => penetration-testing-as-a-service-scaling-to-50-million-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:54:14 [post_modified_gmt] => 2021-04-14 00:54:14 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18462 [menu_order] => 137 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 17343 [post_author] => 2 [post_date] => 2020-02-29 11:32:22 [post_date_gmt] => 2020-02-29 11:32:22 [post_content] => Your organization is always-on and your security should be too. Whether managing an annual penetration test, or delivering and prioritizing millions of vulnerabilities, traditional service delivery methods fall short. Learn how Penetration Testing as a Service scales and operationalizes continuous penetration testing in an ongoing, consumable fashion. [post_title] => Scaling Your Security Program with Penetration Testing as a Service [post_excerpt] => Your organization is always-on and your security should be too. Learn how Penetration Testing as a Service scales and operationalizes continuous pentesting in an ongoing, consumable fashion. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => scaling-your-security-program-with-penetration-testing-as-a-service [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:58:04 [post_modified_gmt] => 2021-06-02 08:58:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=17343 [menu_order] => 40 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 16505 [post_author] => 31 [post_date] => 2020-02-05 07:00:06 [post_date_gmt] => 2020-02-05 07:00:06 [post_content] => On Feb. 4, 2020, NetSPI Product Manager Jake Reynolds was featured in TechTarget’s WhatIs.com defining Pentesting as a Service. Pentesting as a Service (PTaaS) is a cloud service that provides information technology (IT) professionals with the resources they need to conduct and act upon point-in-time and continuous penetration tests. The goal of PTaaS is to help organizations build successful vulnerability management programs that can find, prioritize and remediate security threats quickly and efficiently. In IT security, it is common practice for businesses to hire reputable, white hat testers to come in and proactively look for attack vectors that could be exploited. Inviting an outside entity to try and breach a network, server or application may sound counter-intuitive, but it’s also one of the best ways to identify and remediate difficult-to-spot security issues. Read the full article here. [post_title] => What Is.com Word of the Day: Pentesting as a Service (PTaas) [post_excerpt] => On Feb. 4, 2020, NetSPI Product Manager Jake Reynolds was featured in TechTarget’s WhatIs.com defining Pentesting as a Service. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => what-is-com-word-of-the-day-pentesting-as-a-service-ptaas [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:27 [post_modified_gmt] => 2021-04-14 05:32:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=16505 [menu_order] => 164 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 16327 [post_author] => 31 [post_date] => 2020-02-04 07:00:21 [post_date_gmt] => 2020-02-04 07:00:21 [post_content] =>

Study after study shows that business leaders across the country place cybersecurity in their top concerns for 2020. PwC’s 23rd annual CEO Survey shows that 53% of U.S. CEOs are “extremely concerned” about the effect cyber threats will have on growth prospects.

And the findings of the Conference Board are similar. According to the survey, cybersecurity was the top concern for CEOs in 2019. What’s more, according to the study, cybersecurity budgets are increasing, with more than 70% of responding CEOs globally planning to increase their cybersecurity budgets this year. Interestingly, cybersecurity strategy remains elusive: almost 40% of responding CEOs globally say their organizations lack a clear strategy to deal with the financial and reputational impact of a cyberattack or data breach.

Often, we see that an inadequate security test can leave a company with a false sense of security. Couple that with the fact that in 2019 the average cost of a data breach to a company was $3.9 million, and a greater business challenge emerges. The bottom line is that organizations are always-on, so their security should be too. It’s more critical than ever that organizations implement a more proactive strategy to better understand their security weaknesses and vulnerabilities.

Penetration testing, delivered in a consumable fashion, and executed monthly or quarterly, rather than annually, can help. At NetSPI we call it Penetration Testing as a Service or PTaaS. Here’s all you need to know before investing in PTaaS, to achieve a successful vulnerability testing and management program.

An Introduction to PTaaS

PTaaS is the delivery model of combined manual and automated pentesting producing real-time, actionable results, allowing security teams to remediate vulnerabilities faster, better understand their security posture, and perform more comprehensive testing throughout the year.

A successful PTaaS program delivers security testing comprised of an expert manual pentesting team enhanced by automation. It puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and have the ability to perform always-on continuous testing.

The Case for PTaaS

According to PwC, cyber threats are a drag on growth, and tolerances for breaches and trust in technology are plummeting. To combat these trends, organizations need to shore up resilience. “Step one is to use technology to get real-time views into your most critical processes and assets, and then set up for continuous resilience,” it states.

Organizations with a mature security program understand that point-in-time testing is not the best option for continuously securing their applications and networks. New code and configurations are released every day; a continuous security program delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.

PTaaS should be viewed as an essential IT department activity for identifying exploitable security vulnerabilities present across all networks in computing devices, such as desktop operating systems, web applications, mobile apps, and more. It proactively hardens an environment by identifying security weaknesses and software vulnerabilities, and then prioritizing them by severity of outcome should they be exploited, as factored against the likeliness of the attack. [Want to read more about penetration testing, a commonly misunderstood security discipline? Grab a cup of coffee and enjoy.

Choosing the Best PTaaS Partner for Your Business

When evaluating PTaaS options, security professionals would be well advised to:

  • Insist on real-time accessible reporting and not settle for reams and reams of static PDF reports that don’t allow for access to data in real-time as vulnerabilities are found.
  • Look for a platform, dashboard or technology efficiencies, that offer increased speed to remediation and direct communication with the pentesting experts. For example, NetSPI’s platform houses all vulnerability data and provides remediation guidance for real-time access and assessment.
  • Prioritize non-negotiables like employing a team of expert deep-dive manual pentesting professionals with enhanced automation, as automated pentesting and scanners will only ever find a portion of an organization’s vulnerabilities. While automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.

As attack surfaces constantly grow and evolve, it’s important to recognize that point-in-time penetration testing, while important, is no longer an effective means of year-round security and that there are options available that can increase the value that you get from traditional testing. As an industry, our ultimate goal is to prevent breaches from happening – but, how can we make that happen without having an “always-on” mentality?

Learn more about NetSPI PTaaS here.

[post_title] => Keep Pace with Evolving Attack Surfaces: Penetration Testing as a Service [post_excerpt] => Study after study shows that business leaders across the country place cybersecurity in their top concerns for 2020. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => keep-pace-with-your-evolving-attack-surface-penetration-testing-as-a-service [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:13 [post_modified_gmt] => 2021-04-14 00:56:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=16327 [menu_order] => 166 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 8521 [post_author] => 31 [post_date] => 2018-03-27 07:00:38 [post_date_gmt] => 2018-03-27 07:00:38 [post_content] =>

I found myself in the office on Saturday night, mainly because the frozen pizza selection is more expansive than mine at home, and I wanted to get a head start on my project for this week. It was a normal Static Application Security Test (SAST), which follows a mostly pre-defined process, with embellishments depending on the languages and frameworks at play.

The first step in that process is to search for hardcoded passwords. I dug out the simple and ugly password regex I’ve created for this and did a search for /pa?ssw?o?r?d?|pwd/gi across the entire codebase. This regex covers all of the standard ways I've seen "password" used as a variable name in code. Without fail I got back:

Passwordregex

After digging through all the results and parsing out the false positives I ended up with a total of 30 hardcoded passwords. All of them were database connection strings spread across 20 total users, including multiple users with admin access to the database. Our recommendation for this is simple:

Passwords should never be hardcoded in the source code.

Why?

The reasoning behind this is that there are multiple attack paths that result in source code/arbitrary file disclosure. Error messages, public Github repos, arbitrary file read, "oopsies" email attachments, and shoulder surfing being just a few.

A typical escalation path that exploits hardcoded passwords could start with an XML External Entity (XXE) Injection. An application that is vulnerable to XXE will allow us to read (almost) any file on the server. Through this an attacker will fingerprint the technology at play and target the important source code files.  For example, a web application using the Python Django framework will contain a settings.py file. This file will sometimes contain hardcoded passwords for the DB connection. With some luck/bruteforce an attacker can find the source code directory and read the settings.py file via XXE.

HTTP Request:

POST /xxe HTTP/1.1
Host: netspi.com
Connection: close

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY settings SYSTEM "file:///django-app/settings.py" >]>
<foo>&settings;</foo>

HTTP Response:

HTTP/1.1 200 OK
Content-Length: 178
Connection: close

DATABASES = {
 'default': {
 'ENGINE': 'django.db.backends.mysql',
 'NAME': 'admin',
 'USER': 'admin',
 'PASSWORD': 'password',
 'HOST': 'prod-db.netspi.com',
 'PORT': '3306',
 }
}

An attacker can now take this information and connect directly to the database, which is public-facing because someone assumed authentication was enough. Once an attacker has this amount of access, any number of paths can be followed to further infiltrate the network. This attack extends to anything that requires a password: admin pages, config pages, mail servers, etc...

Remediation

We need various forms of secrets (passwords, api keys, etc...) on the box somehow and the goal is to find the method that minimizes the organization’s risk to the greatest degree. Our suggested remediation regularly has the goal of assigning them through environmental variables on the server. Environmental variables are the recommended method due to the low likelihood of an attacker gaining access to them. I've only seen them exploited in two common scenarios, overly-verbose debug pages left running in prod, or using OS command execution to list all of the environmental variables*. Both of which are easily combatable in large code repositories. Environmental variables also allow a more scalable solution, as rotating secrets will only require one configuration change.

Resources

Like most things in security, except 0days, all the information is out there. A lot of people just aren’t aware of the vulnerability or what the proper way to fix it is. Because of that I won’t rehash how every platform implements environmental variables, but I will identify what I think are the best resources for doing so.

The handling of sensitive data for an app should always be done at the deployment/orchestration level. This ensures that secrets are stored and managed away from the web servers and databases. Here are some of the popular deployment and orchestration frameworks, with their related resources:

Kubernetes

Jenkins

TravisCI

Drone

TeamCity

CircleCI

GitlabCI

AWS

  • This uses IAM roles, which are not discussed in this blog, but are a stronger substitute for environmental variables in AWS applications.

Docker Swarm

  • This is an interesting method using Docker Secrets. Unfortunately they are stored in files, but are the recommended method inside of the Docker ecosystem.

In the end, secrets don't belong in the code. Proper distribution will decrease the reach an attacker has through other methods of attack and protect an organization by allowing them to rotate secrets easily and often.

Coming Up

This blog is an attempt at describing a holistic solution to secret handling that will work in every environment. Using environmental variables is still not the most secure method, as plaintext sensitive information is available to every user on the box. To combat this a platform-specific method is usually required, which Windows and Linux both offer.

We're curious to hear how other organizations handle secrets in their code and what improvements could be made to further advance the topic. Let us know @NetSPI or by leaving a comment below!

* Edit 10:13 AM: Unfortunately environmental variables on linux are still vulnerable to arbitrary file disclosure as seen here https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/.

[post_title] => Please Stop Giving Me Your Passwords [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => closed [post_password] => [post_name] => please-stop-giving-me-your-passwords [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:53:15 [post_modified_gmt] => 2021-06-08 21:53:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=8521 [menu_order] => 226 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 8072 [post_author] => 31 [post_date] => 2017-12-19 07:00:05 [post_date_gmt] => 2017-12-19 07:00:05 [post_content] => As penetration testers, the tools, information, and knowledge we have available to us directly correlates to the amount of entry points we can identify and exploit in any environment. The longer we spend researching and developing individual escalation paths reduces the amount of time for digging into other parts of the network or application. Below we discuss some of the problems we've had with SQL injection and its related online resources and introduce our solution to fix them.

Another SQL Injection Wiki?

SQL injections are one of those vulnerabilities that, without a proper knowledge base, can take a surprising amount of time to exploit and still get meaningful results. When you have to exploit them in multiple Database Management Systems (DBMSs) every week it becomes annoying looking up all the queries and table names repeatedly. There are many resources on the internet for various injection types and DBMSs, but they only seem to give a cursory glance of the injections and lack in describing what to do after you successfully exploit one. One of our Senior Consultants, Alexander Leary, brought up this issue and proposed an idea to Ben Tindell and I earlier this year. Ben, who loves a good wiki, and I, who was terrible at advanced SQL injection, really enjoyed the idea of a comprehensive centralized knowledge base for SQL injection. Through that exchange the NetSPI SQL Injection Wiki was born. Like other sites, aggregating the basics of injections was important. But we also wanted to aggregate what data was most valuable and where it resided within the various DBMSs, while adding injection techniques to extract that data, obfuscate queries, pivot further into the internal network, and more. Most importantly we wanted it all in one, easy to understand, place.

Presenting

Today we are open-sourcing our wiki to address the problems listed above. You can view the wiki at https://sqlwiki.netspi.com and you can help contribute to its development on Github. We are striving to make this a teaching tool as much as it is a lookup tool. Beginners will benefit from starting at Step 1: Injection Detection, while experienced testers may want to skip straight to the thick of it at Step 5: Attack Queries. If you think any information is inaccurate, or think there is more information we should add, please feel free to create an issue or submit a pull request. A huge thanks to all those who have already contributed! We’re excited to be releasing this and we will continue to work on making it as informative and intuitive as possible. For the time being, what other vulnerabilities do you waste the most time on Googling for exploits? Let us know on Twitter @NetSPI, or by leaving a comment below! [post_title] => NetSPI SQL Injection Wiki [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-sql-injection-wiki [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:27 [post_modified_gmt] => 2021-04-13 00:06:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=8072 [menu_order] => 239 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 7976 [post_author] => 31 [post_date] => 2017-09-26 07:00:23 [post_date_gmt] => 2017-09-26 07:00:23 [post_content] => DNS tunneling, in my opinion, is the niftiest data exfiltration method there is. For those not familiar, check out Section 3 from SANS's "Detecting DNS Tunneling" whitepaper here. Our Mobile Application Practice Lead, Aaron Yaeger, recently taught me how easy it is to use Burp Collaborator for DNS tunneling. Exfiltrating data like that was a bit time consuming to do manually, so I set out to automate this task for use in all environments. I automated this task by creating an extension for Burp Suite using the built-in Burp Collaborator API, with a private Burp Collaborator server to parse incoming DNS requests and recreate the tunneled data. The two main ways to use this extension are:

Environments with Burp Suite

In this magical and unlikely environment, the tester has access to Burp Suite on both ends and this extension is installed. In that case the tester goes to the extension on their local box, starts the listening Collaborator instance, and enters the Burp Collaborator address and the data to be exfiltrated on the compromised box’s Burp instance (for full instructions see here).

Environments with Bill and Linus

However, on most compromised boxes there is no Burp Suite, but a scripting engine is usually available (Powershell/Bash). For these environments, I have written Bash and Powershell scripts to tunnel data to Collaborator. These scripts will base32 encode, chunk, and perform DNS queries with the data. The execution chain for a tester looks like this:
  1. Copy over the tunneling script to the compromised box
  2. Click “Start Listening” on the DNS Tunnel extension on the box they want to exfiltrate data to (take note of the Collaborator server address)
  3. Start the script on the compromised box, copy in the Collaborator server address and filename to exfiltrate, and click go
  4. After the data is sent click “Poll now” on the receiving machine and the data will be present
A demo starting at step 2 is below (click to enlarge): DNS tunneling extension demo This is the closest to point-and-shoot that I’ve seen for DNS tunneling, which makes me hope it will give pen testers access to a tool that might have been harder for them to access in the past.  Another great alternative for tunneling is dnscat2, so definitely check that out to see if it fits your needs. Since I’m a big fan of blue teaming I’ll reference the article I posted at the beginning for Detecting DNS Tunneling by Greg Farnham. I should point out that this extension will only work with a private Burp Collaborator Server, as Burp Suite (rightly) doesn’t want their domain getting flagged as malicious when this extension sends hundreds of requests.

Contributing

What is being released today is the 1st revision of this tool. Due to that, it means everything was done the way it popped into my head. If you think there are better ways things could be implemented please feel free to make a pull request or create an issue on Github. You can download the tool at https://github.com/NetSPI/BurpCollaboratorDNSTunnel. [post_title] => DNS Tunneling with Burp Collaborator [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => dns-tunneling-with-burp-collaborator [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:24 [post_modified_gmt] => 2021-04-13 00:06:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=7976 [menu_order] => 242 [post_type] => post [post_mime_type] => [comment_count] => 2 [filter] => raw ) [12] => WP_Post Object ( [ID] => 7536 [post_author] => 31 [post_date] => 2017-05-16 07:00:17 [post_date_gmt] => 2017-05-16 07:00:17 [post_content] => Most penetration testers know the pain of trying to view and modify an unparsed JSON string.  For those that don’t, here’s a taste:
{"userId":1234,"username":"JakeReynolds","favorites":["Rubik's cubes","Doctor Who"],"dislikes":["Sushi","Vegetables"]}
When looking at thousands of these strings a day it is important for them to be well formatted and easily understandable. There currently exists a Burp Extension for beautifying JSON but it is written in Python, which requires Jython to be downloaded and added to Burp.  There were also some issues with Jython and that extension not being as dependable as hoped. Due to those reasons we ported that functionality to Java which is run natively by Burp. Java makes this extension one-click install, with support from Google’s GSON parser. The source code can be found on our Github as well as PortSwigger’s Github which includes updated build instructions. To install, simply go to Burp > Extender > BApp Store and select “JSON Beautifier”. The next time there is a JSON request in any of the Burp tabs there will be the option of “JSON Beautifier”. Any content modified in this tab will also be modified in the “Raw” tab.  An example is below: Jsonbeautifierwalkthrough Thanks for checking out our Burp Extension! If you would like any features added feel free to create an issue on Github. [post_title] => Beautifying JSON in Burp [post_excerpt] => Most penetration testers know the pain of trying to view and modify an unparsed JSON string. This Burp extension removes that burden and allows live editing of beautified JSON strings. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => beautifying-json-in-burp [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:51:49 [post_modified_gmt] => 2021-06-08 21:51:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=7536 [menu_order] => 253 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 6852 [post_author] => 31 [post_date] => 2017-04-25 07:00:58 [post_date_gmt] => 2017-04-25 07:00:58 [post_content] => If there’s anything to be learned from Gitlab’s recent downtime (which they handled amazingly well), it’s that production databases need to be pampered.  They aren’t something to play around with and as penetration testers that responsibility extends to us. Many companies will allow testing in production, it can be argued that it is the responsible thing to do; production is where a company is most likely to get hit and it's important to test those servers.  While everything said in this blog should be followed in non-prod environments, it isn't a catastrophe if non-prod data is modified.  As a penetration tester it starts becoming catastrophic when one mistake in production can lead to outages and having to restore from backups, if they even exist.  There has to be a way to test SQL Injection without the risk of modifying production data accidentally. A google search for “Safe SQL Injection” will return 0 relevant results.  Surely others have written on this topic and other NetSPI employees have mentioned how they go about this, but the goal of this blog is to make this subject visible and easily accessible.

Setup

Starting with setting up the databases, 3 popular Relational Database Management Systems and their associated syntaxes will be used.
RDBMS Create Table
MySQL 5.7.12
CREATE TABLE USERS (
username VARCHAR(100)  NOT NULL,
password VARCHAR(100) NOT NULL,
email VARCHAR(100)    NOT NULL
)
;
MSSQL Server 2014 Express Edition
CREATE TABLE USERS
(username varchar(100), 
password varchar(100), 
email varchar(100))
;
Oracle SQL 12c
CREATE TABLE USERS
("username" VARCHAR2(100),
"password" VARCHAR2(100),
"email" VARCHAR2(100)
)
/
Go ahead and add some users as well.
RDBMS Add Users
MySQL 5.7.12
INSERT INTO USERS (username, password, email) values
('jake','reynolds','jreynoldsdev@gmail.com'),
('net','spi','alex@netspi.com'),
('johnjacob','jingle','heimer@schmidt.com');
MSSQL Server 2014 Express Edition
INSERT INTO USERS
(username, password, email) VALUES
('jake','reynolds','jreynoldsdev@gmail.com'),
('net','spi','alex@netspi.com'),
('johnjacob','jingle','heimer@schmidt.com');
Oracle SQL 12c
INSERT into USERS ("username", "password", "email") values 
('jake','reynolds','jreynoldsdev@gmail.com'),
('net','spi','alex@netspi.com'),
('johnjacob','jingle','heimer@schmidt.com')
/

Pen Tester's First Day at Work

Now every database has a table called USERS with the structure:
   username password email
1 jake reynolds jreynoldsdev@gmail.com
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
This is usually the first table any pen tester would test against since it is called from every login form.  A simple query is used here:
SELECT username FROM USERS WHERE username='$username' and password='$password';
There’s not much harm to this query, aside from being vulnerable to SQLi.  As a tester tossing in a ' or 1=1 --  here or there won’t hurt anybody.  How about the next time this table comes into play?  When a user wants to update their email address the query looks somewhat like:
UPDATE USERS set email='$email' where username='$username';
Now here’s a weekend ruiner if the test is in production.  Giving this input form the simple test of '; --  can ruin the entire Users table.
UPDATE USERS set email=''; -- where username = '$username';
   username password email
1 jake reynolds
2 net spi
3 johnjacob jingle
CRAP. Every email in the company’s database has been deleted.  Maybe they have backups, but it's not St. Patrick's Day so luck is a little short. What happens now?  Dust off that resume and hope to not make the same mistake with future employers.

How to Keep Future Jobs

There are a couple ways to avoid this mistake and they come down to taking an extra second to think about the query format before inserting injection strings.  Going back to the update query, look at it from another angle.
UPDATE USERS set email='$email' where username='$username';
This would be blind to testers, but it would be behind a request similar to:
POST /updateEmail HTTP/1.1
Host: jakereynolds.co
Connection: close
Content-Length: 165
Content-Type: application/x-www-form-urlencoded

username=jake&email=jreynoldsdev@gmail.com
It’s clear that an email parameter is going to be inserted into a query.  Our goal is to find some strings that can be inserted without ruining everyone’s weekend. The first attempt is string concatenation, breaking out of the query and appending something to our string.  This allows the rest of the query to still be valid and shows if the parameter is vulnerable.
MSSQL MySQL Oracle
'+'concat
con' 'cat'
'||'concat
These strings all result in the query looking similar to:
UPDATE USERS set email=''+'concat' where username='jake';
   username password email
1 jake reynolds concat
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
Now everyone is hunky-dory, but none of the queries are the same across the 3 RDBMS'.  What other options are available for these 3?  MySQL and Oracle allow arithmetic operators on numeric strings.  If the injection does not need to escape a quote, MSSQL can be used as well with integers.
MSSQL MySQL Oracle
1+1
1-1
1/1
1*1
'='test
1'+'1
1'-'1
1'/'1
1'*'1
1'+'1
1'-'1
1'/'1
1'*'1
Using addition from MySQL shows this is possible with strings and numbers.
UPDATE USERS set email='1'+'1' where username='jake';
   username password email
1 jake reynolds 2
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
So all 3 of the RDBMS’ have some options to use, but this is operating under the assumption that it doesn't matter what database is being tested.  What option is there to safely inject a string blindly into any of these 3 databases?

The Blind Leading the Blind

It was difficult to find any operators, functions, etc... that executed in the same way across all 3 databases.  Although, coming up from behind for a cheap 2nd is one operator that works on all 3, just doing different things. In MSSQL the + character acts as a form of string concatenation, as presented above.  MySQL and Oracle initially failed any tests for this operator until it came clear that they are for integer arithmetic.  That gives the magical injection string of:
MSSQL MySQL Oracle
1'+'1
1'+'1
1'+'1
UPDATE USERS set email='1'+'1' where username='jake';

   username password email
1 jake reynolds 2
2 net spi alex@netspi.com
3 johnjacob jingle heimer@schmidt.com
In MSSQL the output will become 11, due to string concatenation. There it is!  We now have an option that will allow us to inject blindly into queries for 3 major RDBMS', without potentially destroying their tables.  The challenge going forward is expanding this to fit more RDBMS' and to fit more complicated scenarios.  That will be left as a challenge to the user, but if you have any other ideas or comments please let us know below! [post_title] => SQL Injection to Help You Sleep at Night [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sql-injection-help-sleep-night [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:28 [post_modified_gmt] => 2021-04-13 00:06:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=6852 [menu_order] => 256 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [14] => WP_Post Object ( [ID] => 6930 [post_author] => 31 [post_date] => 2017-02-21 07:00:54 [post_date_gmt] => 2017-02-21 07:00:54 [post_content] => When someone buys a domain name the usual purchase length is one year, with certain DNS providers allowing multi-year purchases.  Large entities can quickly lose track of all their domains and keeping track of when those domains expire can be an even bigger hassle.  When you add Flash integration into the mix it starts becoming a security issue. Adobe Flash has been known to have many vulnerabilities in the past, and my favorite is actually a feature.  Flash has the feature of respecting a cross-domain policy for inter-site communication; the crossdomain.xml file lists valid external domains that can make requests to the Victim Site (VS).  An example crossdomain.xml looks like this:
<cross-domain-policy>
<allow-access-from domain="valid.com"/>
<allow-access-from domain="testing.com"/>
<allow-access-from domain="example.com"/>
</cross-domain-policy>

Any of those sites have full cross-domain access to the VS.  Many blogs have covered the topic of overly-permissive cross domain policies with rules like <allow-access-from domain="*"/>  that allow access from any site.  This blog will cover the topic of expired domains that are allowed in cross-domain files, allowing an attacker to purchase that domain and gain full cross-domain access.

Cross-Domain Scanner

As stated before, cross-domain exploitation has been well documented so I will link tutorials on defeating CSRF on the expired domains below, here is how we can go about discovering those domains using my crossdomainscanner python script located here.

Prerequisites

~$ git clone https://github.com/NetSPI/crossdomainscanner
~$ cd crossdomainScanner
~$ pip install -r requirements.txt
I’ll start with identifying the VS I would like to scan, for this demo I’ll be using https://jakereynolds.co.  A VS can be found any number of ways and we can verify it has a cross-domain policy by accessing https://jakereynolds.co/crossdomain.xml.   We’ll then feed this into the cross-domain scanner with the command:
python scanner.py https://jakereynolds.co -v
Once the script is finished it will tell us if there are any expired domains in the policy.
Possible expired domains:
asdaasdasfwkjhcjhbwrgkljsv.com
thisisanexpireddomainaswell.es
jakereynoldsexpireddomain.com
We now know that http://jakereynoldsexpireddomain.com can gain cross-domain access to https://jakereynolds.co, instantly eliminating any CSRF protection that might have existed on the site.

Exploitation

The best way to exploit this is to take advantage of the CSRF bypass.  Purchase the expired domain, make someone visit your site, and if they are logged in on the VS you can make requests under the context of their account.  This will be done by creating a Flash application for manipulating requests, more on that here.  If the VS does not have any valuable APIs the cross-domain access does not warrant a valid finding, since nothing can be exploited from it.

Findings

Out of the Top 5000 Alexa domains:
  • 222 allow cross-origin requests from any domain (*)
  • 20 allow cross-origin requests from expired domain names
  • 20 allow cross-origin requests from domains with invalid TLDs (.local, .des, etc…)

Recommendation

As a site owner/maintainer it is best to run this script against your own domain and remove or repurchase any expired domains allowed in your crossdomain.xml file.  For long-term monitoring it would be good to incorporate this tool into your development pipeline so that it gets checked at least once every production deployment.  A permanent fix would be to remove Flash integration with the website, since Flash is already being deprecated in certain browsers.

References

http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html is linked above for a Flash tutorial In my time researching I discovered a similar tool for this written by @IAmMandatory, you can find that here. [post_title] => Defeating CSRF Protections Through Expired cross-domain.xml Domains [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => defeating-csrf-protections-expired-cross-domain-xml-domains [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:24 [post_modified_gmt] => 2021-04-13 00:06:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=6930 [menu_order] => 267 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 15 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 25368 [post_author] => 53 [post_date] => 2021-05-13 07:00:49 [post_date_gmt] => 2021-05-13 07:00:49 [post_content] =>

Over time, the way we view cyber security risk has evolved the penetration testing industry. What once was a static laundry list of vulnerabilities to remediate is now a risk-based vulnerability management program. Modern penetration testing should provide more than a list of vulnerabilities. To be effective, it must guide organizations to effectively prioritize the vulnerabilities, assets, networks, etc. that pose the highest risk to the business.

In this webinar, NetSPI’s product team, Jake Reynolds and Cody Chamberlain, will discuss:

  • How risk has evolved in penetration testing  
  • The role of risk scoring in intelligent prioritization of security activities  
  • The factors that impact a risk score 
  • Pragmatic steps to take after you receive a risk score
[post_title] => The Evolution of Risk-Based Vulnerability Management [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => evolution-of-risk-based-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-06-24 12:33:53 [post_modified_gmt] => 2021-06-24 17:33:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25368 [menu_order] => 4 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 15 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 50b7446e2005f0caf2e3431f330be32e [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
Extreme Makeover AppSec Edition
Jake Reynolds