Cobalt’s Code-Assisted Pentests

Pentesters typically perform “black box” or “zero-knowledge” pentests; meaning the they have limited to no prior knowledge about the implementation details of the target application.

With code-assisted, gray-box penetration testing, Cobalt’s pentesters have access to the source code of the application. This effectively enables the team to use the code alongside testing activities as a means to gain a thorough understanding of the target application and enhance the accuracy of the discovered findings. 

The most important aspect of a code-assisted pentest is the deep coverage testing and accuracy of findings. Cobalt’s code-assisted pentest should not be confused with a code review because it only analyzes attack vectors.

From the perspective of Stefan Nicula, Cobalt Core pentester, “In order to prepare for a code-assisted pentest, from the customer’s side, the pentesting team needs as much access as possible to the source code. This includes GitHub sources or sharing the internal codebase. Additionally, the version shared should be the one that’s being actively tested during the project.

We also need to take into account different integrations or plugins that might be interacting with our primary target. If those auxiliary components are considered in scope as well, the team will require access to their code too. Again, one of the primary things required is working access to the repo/codebase.”

From past projects Stefan has worked on with access to the source code, there are some notable findings that are usually hidden in different functionalities but detected easily by leveraging the code:

1. SQL Injection: a code injection technique that leverages SQL to manipulate the backend database and exfiltrate data.
2. XXE (XML External Entity): opens the door to attacks against an application’s processing of XML input.
3. Code Injection: attackers execute malicious code on an application.
4. Command Injection: attackers complete a series of unplanned commands on a host operating system.
5. Server-Side Template Injection: commonly found in web applications where an attacker injects malicious input into a template to execute commands on the server-side.

In a code-assisted scenario, pentesters will allocate dedicated resources and time to search through the code-base by following a high-level methodology regarding common vulnerabilities, usage of different potentially dangerous functions, and web server configurations. 

The biggest plus in a code-assisted project is the coverage against injection types of attacks and misconfigurations. By having access to the code base, the pentesting team will always have an advantage which leads to efficiency.

Learn more about Cobalt’s modern pentesting services for security and development teams.