Ask anyone at Synack what the first question a prospect asks and you’ll get the same answer (it’s down below). But the second question is often: “Why do you want me to give your testers credentials when testing my web applications? Criminals don’t get logins, and I want you to simulate a real attack.”
First, let’s get one thing out of the way—the assumption that an attacker won’t have credentials is a dangerous one. While an attacker will check for uncredentialed access, it is assumed that logins will be frequently monitored and reviewed by security teams, making the activity higher risk for the attacker. A safer assumption is that attackers will find and use working credentials during their attacks.
Why test with credentials?
There’s a difference between attacking a target just to see if anything sticks and conducting an offensive test that yields actionable data and vulnerabilities. Credentialed attacks help produce comprehensive data and vulnerabilities that make software safer.
Attackers know that gaining a credential, even a low permission credential, can be done with minimal effort. Credentials are cheap and plentiful. Too many are left active even after a breach is discovered; it’s like finding a lost key that the owner hoped would never be traced back to their door. And it’s next to their house.
What more do you get with credentialed testing?
Uncredentialed testing is like hiring a building inspector but only allowing them to inspect your doorknobs. You might have a super-secure doorknob to keep intruders out, but slap it on a plywood door and it won’t keep anyone out.
The main benefit of credentialed attacks is that they blend in with authorized user traffic. Adversaries get access to functionality that wouldn’t be presented to an external party. They might even get access to lightly secured assets. This lowers attackers’ chances of being discovered so they can run longer campaigns (*cough* dwell time *cough*) to get the access/data they seek.
To demonstrate the risk that remains if uncredentialed testing is the only attack vector allowed, Synack analyzed vulnerabilities from application tests from calendar year 2019. What we found was that without credentials, security teams could miss as many as 45% of the vulnerabilities found in typical crowdsourced penetration testing.
What we have found is that complementing tests with credentials from different roles in the system makes your crowdsourced security test even more complete.
The simple act of giving logins allows testers to thoroughly inspect an application’s security, test functionality provided to users, and identify and resolve critical business logic issues. In particular, the vulnerabilities that could affect data security/privacy between users, and ensure their applications are as secure as possible should the “unthinkable” happen and a user credential become compromised. For that reason, very few Synack customers choose to continue with an uncredentialed penetration test once they know the differences.
For example, in a standard business application an organization could expect the following coverage for vulnerability types.
One credential per tester, or one credential for all?
Well, it depends on the application that’s being tested but in general more is better. At the most basic level, having at least 1 credential per tester ensures that tester 1 does not affect tester 2’s research. Having shared credentials can mean vulnerabilities are missed due to overlapping changes and can also introduce operational issues that impact testing such account lockout, password changes, and so on.
Having 2 (or more) credentials per tester is a luxury but expands their testing opportunities and allows more thorough testing. For example, it can be difficult for a pentester to successfully exploit privilege escalation or access control issues without having another account available to validate a suspected vulnerability is successful. For all of these reasons we feel the general best practice should always be the same – the more they have – the more complete and accurate their testing will be.
Get Better Tests with Credentials
So back to basics:
The adversary wants defenders to test without credentials. It misses vulnerabilities that attackers won’t.
Our goal is to help organizations be as resilient to attack as possible. To achieve this goal Synack helps customers gather credentials; sometimes we even do it for customers as part of their test preparation. We’ll even make the fake usernames funny if you ask nicely. Just set us up to get the job done and we will set you and your teams up to be as resilient as possible.
Oh, and that most heard question at Synack? It’s “Who are these hackers?” You can learn more about them and Synack’s processes for vetting, monitoring, and building trust at synack.com/red-team or follow us @SynackRedTeam.
- Rajesh Krishnan and Paul Mote