Penetration testing, also known as pentesting or ethical hacking, is a security exercise where cybersecurity experts mimic external attackers who are looking to gain access to your sensitive data and resources.
During this exercise, our team performs a simulated attack to identify and exploit vulnerabilities in your system. We then provide a comprehensive report outlining our recommendations to patch identified vulnerabilities and strengthen your overall security posture.
Thoropass recommends performing annual gray box pentests, where the tester has partial access to the in-scope targets to assess your systems’ unauthenticated and authenticated segments. This type of test strikes a balance between depth and efficiency, as direct access allows the tester to save time when identifying weaknesses inside your system. A gray box pentest is the most efficient way to test your vulnerability to outsider and insider threats.
Targets
There are four types of assets in our current portfolio of services that can be tested: web applications, APIs, mobile apps, and networks.
Web Application Pentest
The main goal of web application penetration testing is to identify potential vulnerabilities, which may include unintentional information exposures, authentication bypass methods, poorly implemented security controls, and injection attacks.
Pentesters utilize tools such as Burp Suite and browser developer tools to analyze the functionality of a target and its business logic, and to search for vulnerabilities in JavaScript files and HTML source code. Client-side interactions are beyond the server's control, so the server-side application is tested by sending arbitrary input to see if it can handle potentially harmful inputs properly.
Examples of this testing include modifying hidden HTML form field values, changing session tokens in HTTP cookies, and adding or removing parameters. The testing approach also examines the target's workflows and business logic, which can uncover vulnerabilities such as the ability to bypass certain steps in a process, like skipping multi-factor authentication or purchasing a product for a lower price than advertised.
API Pentest
APIs sit in a critical position between users and the sensitive systems on the backend. The main difference between a web pentest and an API pentest is that in the latter, you no longer have the obvious graphical user interface cues such as search bars, login fields, and buttons for uploading files. Instead, API hacking relies on the backend operations of those items that are found in the GUI. The pentester uses tools such as Burp Suite or Postman to interact with the APIs and actively searches for information disclosure flaws, authentication bypasses, lack of rate limiting, and broken authorization, among other common vulnerabilities found in APIs.
Mobile Pentest
Mobile pentesting is primarily focused on data protection. Apps, regardless of the operating system that they run on, store various types of personal information, including pictures, location, notes, and more. Even though iOS and Android offer mature mechanisms for secure data storage and communication, those have to be implemented and used correctly in order to be effective. Data storage, inter-app communication,
proper usage of cryptographic APIs, and secure network communication are only some of the aspects that require careful testing.
Network Pentest
Network pen tests assess all aspects of a computer network, including on-prem servers and services running on any port. These tests require a strong understanding of networking, Windows, Linux, and Active Directory. While network vulnerability scanners like Nessus can be used in conjunction with other tools during network pentesting, it is important to note that network vulnerability scanning is just one component of a comprehensive network pentest. Other objectives of this type of test include lateral movement, privilege escalation, and gaining root access.
Pricing
Penetration tests are typically priced based on scope.
This includes variables such as:
The number of web applications and how many modules and user roles they contain
The number of REST API endpoints or GraphQL root queries/mutations
The number of mobile apps and user journeys they have
The depth of the testing each asset requires
The number of IP addresses that the client has in their network
Process and Methodology
The pentesting process can be broken down into six steps:
Step 1: Information gathering and reconnaissance
This is arguably the most critical step in every pentest. During this reconnaissance stage, testers search for the necessary information about the target and investigate its scope. During this stage, information is gathered through various means such as finding open ports, subdomains, crawling the target, discovering directories and parameters via fuzzing, OSINT gathering, searching for leaked credentials on the web, identifying the technology stack of the application, and Google Dorking, among others.
Step 2: Scanning and enumeration
Before beginning manual assessments, it is recommended to perform automated reconnaissance and execute vulnerability scanners. This will catch low-hanging fruit and point the tester to areas that are more vulnerable in terms of security. Pentesters will assess the targeted application using commercial and open-source security tools. During this phase, we ensure that scanning covers the entire scope of the application and that every segment is assessed for security issues.
Step 3: Manual exploitation
During this phase, a skilled pentester will use proxy tools to simulate real-world cyber-attack scenarios. This is where the magic happens, as we mimic what real hackers might do and employ various attack techniques to identify vulnerabilities in your systems.
These vulnerabilities may include authorization bypass, which could allow User A to view the private information of User B or gain access to highly sensitive data handled by your application. Other strategies include escalating privileges, exfiltrating data, cracking passwords, and more to see the damage they can cause.
It is important to note that we do not restrict ourselves to a predefined list of test cases. Instead, we evaluate the security of an application as an actual intruder would, using both manual methods and automated tools. However, we do have a checklist that establishes a baseline of the minimum coverage that every application must undergo to be considered a thorough test.
With that being said, we consider the requirements and recommendations set forth by reputable organizations, such as the OWASP Top 10, the OWASP Testing Guide sections that are applicable to the target application, as well as the relevant guidelines from NIST 800-115 for assessment of security tests.
Step 4: Maintaining access and post-exploitation
Once the tester identifies a vulnerability and exploits it within the system, the tester validates the ability to move within the system persistently. This indicates that a malicious actor could gain in-depth access to exploit additional weaknesses. The actor may move within the system to exploit or chain different vulnerabilities.
Step 5: Reporting
At the final step of the penetration testing, the tester will compile a report and showcase the data gathered. The report will include specific exploited vulnerabilities, the accessed and sensitive data, and the amount of time the tester remained in the system undetected.
The report should be readable by anyone ranging from a technical person to a non-technical person.
The detailed report consists of the following sections:
Executive Summary
Overview of the Assessment
Scope
Vulnerabilities and Recommendations
The Thoropass pentesting team will categorize vulnerabilities based on the Common Vulnerability Scoring System (CVSS 3.1), an industry standard that provides a method to capture the key features of a vulnerability and generate a numerical score reflecting its severity.
Step 6: Retest
Thoropass offers unlimited retests within a 90-day period for every identified vulnerability.
From here, it is the organization’s job to move forward with new security solutions based on the feedback provided.
Assessment Tools
We may utilize any/all of the following tools during our pentesting:
Kali Linux VM in AWS: Kali Linux is an open-source, Debian-based Linux distribution designed for various information security tasks, such as penetration testing. This box will have all the tools mentioned below installed and can be used to run resource-intensive scans or as an HTTP server to test for out-of-band vulnerabilities.
ReNgine: Open-source automated reconnaissance framework for web applications which includes subdomain discovery, IP and Open Ports Identification, endpoints discovery, directory, and files fuzzing, screenshot gathering of live domains, vulnerability scan using Nuclei, WHOIS Identification, and WAF Detection.
Nuclei: Open-source vulnerability scanner that is configurable with YAML templates.
The Nuclei template ecosystem benefits from the contributions of hundreds of security researchers worldwide. Scans for the latest attack vectors such as Log4j vulnerability and GitLab RCE.
sqlmap: Open source tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
Burp Suite: Proxy program that enables tracking, examining, and altering requests made by browsers before they are forwarded to a server. It also includes a scanner, fuzzer, decoder, and custom extensions to support the whole testing process, from the initial mapping and analysis of an application's attack surface through the discovery and exploitation of security flaws.
WPScan: Black box WordPress security scanner to test the security of sites. The
WPScan CLI tool uses a database of 23,381 WordPress vulnerabilities.
JWT_Tool: Toolkit for validating, forging, scanning, and tampering with JWT tokens.
ffuf: Fast web fuzzer to discover directories, parameters, virtual hosts, etc.
Nikto: Open source web server scanner that performs tests against web servers for
multiple items, including over 6,700 potentially dangerous files/programs, and checks for outdated versions and version-specific problems.
Hashcat: One of the world's fastest password crackers.
Amass: OWASP tool that performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
Hakrawler: Web crawler for gathering URLs and JavaScript file locations.
CookieMonster: Command-line tool and API for decoding and modifying vulnerable
session cookies from several different frameworks.
Nessus: Vulnerability scanner to gain comprehensive visibility with deep insights about different assets, not just web.
Postman: An API platform for building and using APIs. It can proxy all the traffic it generates to Burp Suite.
kiterunner: This is a tool that is capable of not only performing traditional content discovery at lightning-fast speeds but also brute-forcing routes/endpoints in modern applications.
InQL: A Burp Suite Extension for Advanced GraphQL Testing. InQL makes it easier to
modify GraphQL queries in Repeater, and enables you to scan the API schema.
Graphql Voyager: Represent any GraphQL API as an interactive graph.
Clairvoyance: Obtain GraphQL API schema even if the introspection is disabled.
GraphQL Cop: Security audit scanner for GraphQL.
Arjun: Helps find query parameters for URL endpoints.
graphw00f: This is the GraphQL fingerprinting tool for GQL endpoints, it sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will make use of the GraphQL Threat Matrix project to provide insight into what security defenses each technology provides out of the box, and whether they are on or off by default.
With malicious actors getting more sophisticated year after year, your business must conduct regular penetration testing to protect your data, customers, and company and stay compliant with information security frameworks such as SOC 2 or ISO 27001. At the minimum, we recommend an annual pentest and, ideally, any time your business introduces a new product line or significant feature update.
Thoropass’s all-in-one approach to compliance offers the most efficient path to build a scalable security posture that can stand the test of any attacker. Our penetration testing team will be your trusted partner in offensive cybersecurity. Please reach out to get started!