Penetration Testing For HIPAA Compliant
After you have implemented all the HIPAA required and addressable privacy and security requirements into your application, you would want to check if indeed your system is secure. You would want to ensure all security gaps are properly plugged and all known vulnerabilities are fixed. Penetration testing is used for such a purpose.
Penetration Testing is an art of finding vulnerabilities and digging deep to find out how much a target can be compromised in case of a legitimate attack. Penetration Testing is an attempt to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. The primary purpose of penetration testing is to identify any weak spots or vulnerabilities and systems defenses which attackers could take advantage of. In this article, we provide you details about Pen Testing and how to perform pen testing using one of the pen testing tools.
Stages of Penetration Testing:
Below mentioned are the five stages of penetration testing:
- Planning: In this stage, as much information as possible is gathered about the target
- Scanning: Vulnerabilities are found by running a complete scan over the application
- Exploitation: After scanning is done, attacks are launched on the application
- Analysis: During this stage, each vulnerability is analyzed and the possible risks are identified
- Report: Finally, the results of penetration testing are compiled into a detailed report
Penetration Testing Tools:
Penetration testing is done using automated tools which find various kinds of vulnerabilities in the application. Scanning is done using a pen testing tool which scans the code and finds a malicious code that can help unauthorized users in attacking the system. Various pen testing tools are commonly used such as Burp Suite, Metasploit, Port Scanner, Wireshark, etc.
What is Burp Suite?
In Technosoft, we have used the Burp Suite for penetration testing. Burp Suite is a penetration testing tool for performing security testing of web applications. It provides different methods by which we can find loopholes in any application. We used Burp Suite to find vulnerabilities in websites created by Technosoft. For practice purpose, we used bWapp which is a buggy web application that is used to practice penetration testing. There are various kinds of vulnerabilities that can be hacked in bWapp.
We have used the following features of Burp Suite in our training of Penetration Testing:
Mozilla Firefox was configured with Burp Suite by changing its network settings and setting its proxy to localhost with port 8080.
Sitemap and Target Scope:
As soon as a website is opened in the configured browser, it starts appearing in Sitemap tab of Burp Suite. As soon as any link is clicked, it is displayed in sitemap. When spidering or scanning is started, Burp Suite starts finding issues in the websites which are added in target scope.
Intercepting HTTP Request:
When an HTTP request is intercepted, before forwarding the request to a server, the packet comes to burp suite and then as per requirement, it is either forwarded or dropped. And before forwarding the request to the server, the request can be edited as well.
Spidering is an automatic program which navigates around the application by clicking different links, submitting forms, etc. Robots.txt files of any website tells that which links on a website can be monitored/scan.
Burp Suite allows scanning a device fully. A scan is run over the application to find the vulnerabilities. There are two kinds of scanning in Burp Suite which are:
- Active Scanning: In active scanning, there are more chances that the attack can be captured by the firewall of a website. But active scans are more accurate.
- Passive Scanning: This scan is recommended as there are high chances that the firewall of the website will not be triggered.
Definitions of different issues are mentioned under this tab with their severity level which can be high, medium, low or the found issues can just be a piece of information.
After finding vulnerabilities, different types of attacks can be done on website such as brute force attacks on passwords, SQL injection vulnerabilities can be exploited using Intruder.
A report (XML or HTML) can be exported for the issues found by Burp Suite.
OWASP-top 10 Report:
Open Web Application Security Project (OWASP) is a community which helps in developing secure applications. OWASP top 10 is a report which states the top 10 most critical vulnerabilities. The report is prepared after the consent of security experts around the globe and updated time to time. At Technosoft, while performing penetration testing of our website using Burp Suite, the latest version of OWASP- top 10 reports were set as a benchmark. Our main focus was to find and exploit the top-10 risks mentioned in OWASP-top 10 report of 2018.
Example: Scanning of Web Applications
We performed Active Scanning of many web applications of Technosoft that was deployed on a local server. After adding the websites to target scope, the applications were explored and it was made sure that all the main functionalities were tested for the loopholes.
After the complete scanning, detailed reports were generated through Burp Suite which displayed the summary and as well as details of the vulnerabilities e.g. severity, links in which a specific vulnerability was found, etc. As a result of active scanning of different websites, we were able to find the following vulnerabilities:
- Cross Site Scripting (Reflected)
- Clear text submission of password
- OS command injection
- SQL injection
- Cross-site request forgery
- Password field with autocomplete enabled
- Unencrypted communications
- Open redirection (DOM-based)
- Input returned in the response (reflected)
- Input returned in the response (stored)
- Cross-domain script include
- Email addressed disclosed
- Frameable response (potential Clickjacking)
- Path-relative style sheet import
- User agent-dependent response
- Suspicious input transformation (reflected)
- Cookie without HttpOnly flag set
- File upload functionality
- Path-relative style sheet import
- Cross-origin resource sharing
- Cross-origin resource sharing: arbitrary origin trusted
- Credit card numbers disclosed
- Multiple content types specified
(Image:1 Screenshot of results of Active Scanning of one of the tested websites of Technosoft)
Burp Suite Community edition can be downloaded free from its web site (https://portswigger.net/burp/).
For more tips on developing HIPAA compliant healthcare software applications, please visit www.techno-soft.com