Every week, Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

In our latest special edition, we dive into our roundtable chat with Nicholas Anastasi, Director of Technical Operations; Nate Fair, Penetration Tester & Cyber Security Consultant; Juan Pablo “JP” Gomez Postigo, Penetration Tester; and Willis Vandevanter, Senior Staff Security Researcher — Sprocket’s pen test team. Here are the top takeaways from the interview.

#1: Utilize Thorough URL Testing to Discover Hidden Attack Surfaces

“We've seen if we change the URL slightly to do uppercase WP admin instead of just all lowercase, that sometimes might bypass a rule. Appending a dot to the end of a directory, that sort of thing would also, you know, bypass a rule in certain cases. So a lot of our tools are, and a lot of the tools out there, just do static checks for, hey, I'm going to issue a request to this endpoint. If I get a 200 and a specific string, we know it's there, right? But that doesn't account for 403 bypasses, other techniques to get to that endpoint otherwise.

“So vulns that don't look like they're there, if you're not trying a 403 bypass, you're going to miss it because the tooling that we have is just kind of saying it doesn't exist. So trying to do that at scale has been a challenge and something we're working on, but yields a lot more fruit because it's kind of this hitting attack surface that, you know, you don't think exists. And then all of a sudden it does when you change things up a little bit.” (Nicholas)

Actionable Takeaway: URL manipulations, such as changing case or adding characters, can bypass security rules. Static checks may miss these vulnerabilities, so it’s crucial to include techniques like 403 bypasses in your testing process. Identifying these hidden attack surfaces requires nuanced, adaptable tools and methods for more effective security.

#2: Learn the Risks of Noisy Tools

“That sort of depends on where you're at in the assessment of an application. That's sort of a right click, Hail Mary, and Cobalt Strike, or Armitage, kind of because it's, you know, it's incredibly noisy. But it's also, you know, ‘I got nothing. Let's see’, right?

“And that obviously came out of the Log4j stuff when that was everybody was just kind of scrambling, the entire industry, all of a sudden learning about, you know, this type of injection and those lookups. And so it can be useful, in some cases,it can probably also fire off hundreds of alerts or automated emails, you know, wherever it is because it really is everywhere. Every request, header, and parameter.” (Nate)

Actionable Takeaway: Using tools like Cobalt Strike for broad-spectrum testing can be noisy and overwhelming, often generating countless alerts. While sometimes necessary, such an approach should be used cautiously and in specific contexts. Learn from the Log4j crisis: balance thoroughness with the risk of alert fatigue to maintain effective security monitoring.

#3: Beware the Hidden Dangers of Jailbreaking

“I think it's easy to be like, ‘oh, we can just jailbreak that, that's not a big risk.’ But then it's like, all right, well, what data does this have access to? What's it ingesting? Because if I can get it to do that, I might also be able to ask it, ‘hey, do you have access to the backend database?’

“There's also examples of remote code execution. If we think of LangChain, where it's inserting a query. So we're asking the bot something. It's using that data setting into memory and then using that to make a SQL query. Like, there's examples of CVEs of people putting in SELECT, and then you put an actual remote code execution. So the bot takes the input, which is unsafe. It runs it the next time, and then you get remote code execution. So there's totally things to build off of. And I feel like it's already trending toward very similar to the way we do normal testing.” (Willis)

Actionable Takeaway: Jailbreaking might seem low-risk, but it can expose critical data or enable remote code execution. Always assess what data your systems can access and how they’re interacting with user inputs, especially in environments using tools like LangChain. Treat jailbreaks with the same caution as any other potential security breach.

Listen to full episodes out now:

For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.

Apple

Spotify

YouTube

We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!