Carving Out Vulnerabilities Through Comparison

by Hannah Grace Holladay / October 31st, 2021

A Guessing Game

Picture this – Halloween in the ’80s. A classroom full of students at their desks, staring at a large object hidden under a blanket. The guessing game had only just begun. Gasps filled the room as our teacher revealed a gigantic pumpkin. “If you guess how much it weighs, it’s yours!” Our teacher was encouraging a creative lesson on estimation.

The only thing keeping that pumpkin from being carved and glowing on my front porch was my correct estimation of its weight. Some of my peers jotted down their answers without a second thought, and others stared at the ceiling in boredom, but those that were crafty compared with objects that were similar in size. So that is just what I did.

Comparing Vulnerabilities from Past Projects

The process of penetration testing is often the same.

Penetration testers are expected to find the unseen cracks in an organization’s security. Just as the pumpkin from the story had an unknown weight, client environments have undiscovered vulnerabilities. When an organization undergoes a penetration test, they expect the hired tester to discover all their neglected vulnerabilities within the limited amount of time in the engagement. Because of this, penetration testers can often compare tests to those they have done in the past. If they have observed one organization make a mistake, they will see a similar vulnerability hidden in another.

For example, when I examine a web application and find an area for file uploads, I immediately reference past projects where I succeeded in compromising a similar vulnerability. In a recent penetration test, I noticed that the web application contained an area in a note for embedding HTML code. Referencing a previous test, I began writing a new note with HTML tags and JavaScript code to test for Cross-Site Scripting. Sure enough, the application was vulnerable to Stored Cross-Site Scripting.

You Need Experienced Penetration Testers

Experience is what makes penetration testers experts that can make educated comparisons and conduct advanced testing. Without past projects to reference, inexperienced penetration testers are just playing a guessing game. At KirkpatrickPrice, our team has an average of fifteen years in the industry. You can count on our penetration testers to make the most of the time restraints and discover your most vulnerable gaps.

As for the pumpkin contest, I did win. The correct guess was 75.5 pounds, and I put down 75. When my teacher asked how I came to that estimation, I merely answered: “The pumpkin looked about the size of my sister.”

Who knew that I would spend the rest of my life playing a similar game of comparison.