Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual Web application. I actually had not manually validated every single finding in that regard. I paused to think about it and understood why he asked. The scope of the assessment stated we’d use automated tools and perform manual analysis of the hosts and applications we were testing. During discussions with the client it became clear to him that I had not manually validated every single flaw – hence his question.
Let me explain why I didn’t validate everything. When you’re testing IP-based hosts, you often don’t need to manually validate every single finding – only occasionally. However, with Web applications, you need to validate just about everything to ensure you’re not documenting problems and solutions for issues that don’t even exist. I told the project manager that for an SSL certification flaw I uncovered, the scanner is providing the same information I’d be able to get via any other means. Ditto with a flaw that uncovered an outdated version of the server’s operating system.
Another flaw was regarding the internal IP address being exposed on the server. The project manager was specifically interested in that finding. I told him that the internal IP address uncovered was right before us in the scanner results. Although there may be some circumstances that warrant it, I’ve never found a need to manually validate this specific vulnerability. In fact, this one could be next to impossible unless you’re on the internal network, but that’s a different discussion. Either way, if the scanner finds an internal IP address, it finds an internal IP address. There’s no other explanation for how a scanner could come up with a random internal IP address that happens to match an internal IP addressing scheme (that I happened to know of) otherwise.
Be it a web vulnerability scanner or advanced penetration testing tools you use manually, you need reliable means to ferret out such information, especially if it’s to be reliable and accurate. But in most cases, based on my experience, you’re not going to have to double-check every single finding of a server host in this regard.
Keep in mind that not every flaw is the same. Some require true validation and some won’t even be found using automated tools. Testing for security vulnerabilities is as much of an art as it is a science and experience using the tools, knowing what to expect from them, deciphering their results and knowing what else to look for is critical. That still doesn’t mean we’ll find it all…there’s no way to guarantee that. As with radiologists and home inspectors, there are just too many variables and unknowns involved.
Regardless, Web application or IP-based host, if I, based on my knowledge and experience, believe something needs further manual analysis then I’ll do it. If not, I’ll leave it be and document it as such. Once you’re comfortable doing so, I recommend you do the same.
Interestingly, it ended up being that the client’s questions weren’t about whether or not I actually validated each and every finding, but rather whether or not the hosts I listed in the report were indeed affected. There’s a difference. Make sure you keep all of this in mind and everyone is on the same page as you move forward with your security testing. Proper scoping and advance planning are half the battle.