Macro - A New Approach for Automated Penetration Testing | HCLTech

Macro- A new approach for automated penetration testing

Macro- A new approach for automated penetration testing
December 22, 2021

Every day, many websites are hacked, and any organization can be the target of hackers. One of the best ways to protect web and mobile applications is by processing penetration testing.

“Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries.”

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries.

The primary purpose of a pen-tester is to find vulnerabilities in the security posture of an organization, as well as assess conformity with its security policies, test the knowledge of safety concerns by the personnel, and determine when and how the organization will be vulnerable to security disasters.

The Current Situation

Presently, many cybersecurity tools support pen-testing with an automation scan for vulnerabilities in applications such as Acunetix, Nessus etc. These cybersecurity tools scan an application by sending various crafted requests to the server and analyze the return responses looking for evidence of vulnerabilities.

However, these tools just send requests separately and not in sequences.

In web application and API penetration testing, pen-testers frequently find themselves in situations where requests are linked to each other, and are combined as a list of requests. This process sometimes can lead to many false results. For example, the session can expire during testing, which commonly occurs, or several requests may be needed to detect a vulnerability.

For instance, with Acunetix, pen-testers can add headers and cookies to a request to scan. The session may be terminated after a period of time, and then, the pen-testers need to re-login to the target website, add new headers/cookies to the request, and scan again.

Therefore, penetration testing of these requests needs to be done through a combination of manual and automatic mechanisms. This will lead to high resource consumption due to the repetition of many steps.

The Proposed Solution

Recently, there is a new definition – called Macro -- that can help pen-testers in these aforementioned circumstances.

“A macro is a predefined sequence of one or more requests.” 

Common use cases of macros include:

  • To fetch an application tab (like the home page) to validate the current session is still valid
  • To login to receive a new valid session
  • Obtaining a token or parameter from the previous response to use in another request as a parameter

Session 1

  • Running the necessary preceding requests when scanning or fuzzing a request is a multi-step process to bring the application into a state where the targeted request can be accepted. For example, in a situation where an application prevents scanning by using CSRF Tokens.

Session2

  • In a multi-step process, the remaining stages of the process are completed after the “attack” request to validate the operation being done, or the result or error message is received from the end of that process.

Session3

Every macro, along with the basic sequence of requests, requires several essential configurations of how cookies and parameters should be handled in the sequence and any interdependencies between items.

The Weaknesses of the Current Solution

The macro feature is currently only supported in Burp Suite. Although Burp Suite Macros is a potential solution for various issues, this function still has some weaknesses that can be improved in the future.

  • There are many cases where pen-testers need to change the parameter before the response to fit the parameter in the next request, such as hashing, encoding/decoding or encrypting/decrypting. Burp Suite currently only supports URL-encoding.
  • Users can only edit parameters in the body of the requests but cannot edit the headers. There is an extension that can integrate with Burp Suite Macros and help users in this scenario, Add Custom Header - Burp Suite Guide.
  • The name of the parameter in the previous response and of the next request need to be the same, otherwise, such a solution cannot determine if the names of the parameters are different from each other.

Summary

In conclusion, existing cybersecurity tools, which have been utilized in penetration testing still have certain limitations. Therefore, further research and development are required to create a tool that is more effective at automatically scanning for web and mobile application vulnerabilities. Macro is a potential feature that helps to reduce human effort and aids in the conservation of resources.

References

  1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pd
  2. https://portswigger.net/burp/documentation/desktop/options/sessions#macros

Get HCL Technologies Insights and Updates delivered to your inbox