After a short break, ComTech is back.
Today's post will talk about something that is relevant to every pentest, the do's and the don'ts of pentesting a production environments.
- Don't use or use a little as possible automated scanners.
In application PT - use non, do all manual. In infrastructure PT - use only the most needed ones. The automated scanners that should be avoided include vulnerability scanners (Nessus, OpenVas in infra PT, Burp pro scanner, Acunetix in app PT).
- Perform as much of the test manually.
- Especially don't use any tools in OT environment (industrial control system, SCADA). These environments are especially sensitive, and a simple port scan might crash them altogether.
- If you do need to use tools in infra PT, make sure you mark the "safe checks" checkbox if exist (Nessus, OpenVas).
- Don't use payloads that can cause any damange. This include innocent looking payloads such as the classic XSS and SQLI <script>alert('xss')</script> and ' or 1=1-- in app PT.
The first might pop up a message in a production page in a persistent XSS, that would cause embarrassment to the client, and the second, if done in the wrong place, could delete all of the records in a table (if injected to a delete command), or issue a fetch command that would get all of the records and might bring the system down.
- Always clean up after yourself, and do the best effort to delete any testing records and data, especially any data stored in a persistent storage (DB).
- In infra PT (and also relevant to app PT) don't send a large input to a tested interface, as it might also cause the system to crash.
- If money is involved, always ask the client for QA credit cards. Avoid using your own credit card in PTs.
- Don't change any configuration in an admin interface or CMS, unless explicitly permitted by the client.
- Open and use your test emails to make sure you won't get spammed long after the test is over.
- Don't do online login brute-force attack without permissions, as it might lockout production users.
- If you are testing a hosted cloud-based system, always make sure you have the appropriate permissions to do so, and that the cloud provider is aware and approves it.
- In spite of what is written above, always talk to the client and match expectations. There might be specific production environments that you could do the don'ts mentioned above.