What is a pentest?
A penetration test (pentest) simulates targeted hacker attacks on a hardware or software system to uncover vulnerabilities, identify errors and increase security standards at both the technical and organisational level. It also serves to have the existing security level confirmed by an independent third party.
What was tested?
As part of the pentest, Trovent Security examined both the specialist solutions and the infrastructure of the otris cloud. A central focus of the examination of the otris cloud infrastructure was on the identification of open network ports and misconfigurations. The ‘OWASP Top 10’ served as the most important basis for the examination of the otris legal SUITE.
OWASP Top 10
The ‘OWASP Top 10’ is a compilation of the ten most critical web application security risks for web applications from the Open Web Application Security Project. The news version of the document lists the following potential points of attack:
- Injections: This vulnerability occurs when untrusted data is processed by an application, which can lead to unwanted commands or manipulation of the database.
- Authentication failures: Weaknesses in authentication can allow attackers to impersonate other users, even administrators.
- Loss of sensitive data confidentiality: Insufficient protection of sensitive data can allow attackers to access private information such as personal or financial data.
- XML External Entities: This vulnerability occurs when external entities are used in XML documents, which can lead to the disclosure of sensitive data, denial-of-service attacks or even remote code execution.
- Access control flaws: Flawed access control implementations allow attackers to access resources or functions for which they have no authorisation.
- Security-related misconfigurations: Insecure configurations in servers, applications, databases or networks, including unused pages, non-secure default accounts or outdated software, can be exploited by attackers.
- Cross-site scripting (XSS): This vulnerability allows attackers to inject malicious code (e.g. JavaScript) into other users’ web pages, which can lead to the theft of session cookies, manipulation of web pages or phishing attacks.
- Insecure deserialisation: Insecure deserialisation allows an attacker to inject manipulated objects into an application to execute arbitrary code, crash applications or perform other malicious actions.
- Use of components with known vulnerabilities: The use of libraries, frameworks or other software components with known security vulnerabilities can lead to vulnerabilities in the entire application.
- Insufficient logging and monitoring: a lack of logging and monitoring can mean that attacks are not detected or prevented in time, enabling attackers to remain undetected for longer.