@cybergibbons Oh I have an absolute belter.
Have you ever been literally kidnapped and held at ransom by a client? I have!
Have you ever been literally kidnapped and held at ransom by a client? I have!
@cybergibbons I think this was my second on site job ever. It was way up north, a very long train ride home. The client was a finance org. I was with a slightly more experienced tester.
We arrived, the app wasn't ready.
We arrived, the app wasn't ready.
@cybergibbons The on site security team leader had filed the change request for the firewall but typo'd the IP by one digit, so we couldn't reach it. No big deal. He apologised and started the "fast" change request procedure (takes a couple of hours). Fine by us!
@cybergibbons This is supposed to be a web services test, so while we waited they gave us access to the front end web application (dev environment). "We already had it tested so it should be fine"... and I find LDAP injection in the literal first request I send.
@cybergibbons After twenty minutes I've got serious doubts about anything they say they've already had tested because it's vulnerable to pretty much everything in every field and page I look at.
@cybergibbons This is all fairly run of the mill until The Big Cheese arrives. He's the head of security for global or something. As soon as he comes in the door the atmosphere changes. Our local contact is clearly not a fan of the guy and is a bit afraid of him.
@cybergibbons I'm gonna call Big Cheese "BC" from now on.
BC finds out that testing hasn't started and starts yelling, mostly at our contact, then turns to us and talks like the guy isn't there and derides him. Asshole.
BC finds out that testing hasn't started and starts yelling, mostly at our contact, then turns to us and talks like the guy isn't there and derides him. Asshole.
@cybergibbons Eventually we start testing and it quickly becomes clear that there's a major architectural fault with the system. The result is that if you compromise any one system that has access to the web service, you can give yourself massive amounts of money without any oversight.
@cybergibbons Half of the systems shouldn't have access to that feature of the service, but they can because there's no access control involved, nor is there a concept of authorisation. Not only that but they can't even tell which system issued the requests.
@cybergibbons Going by the one endpoint I've looked at, I can pretty much guarantee that compromise and abuse is inevitable in short order. And it's deeply concerning that they think it's been tested and verified safe.
@cybergibbons We make this clear to BC and it's not clear whether he's more annoyed at us or their tech team, who are... somewhat obstinate? about our findings.
@cybergibbons We end up in meetings all day with them, mostly arguing our point while they pretend nothing is wrong. It gets to the end of the day and we can't get out of the building. They won't let us leave.
@cybergibbons We end up calling our boss and getting him in on a conf call. He lets the directors know. The guy is determined that we will not be adding the architectural findings into the report. He doesn't want us to leave until this is agreed.
@cybergibbons We have a private call with our boss and agree that we're going to give him what he wants, then not do that when we actually write the report. Basically we got the OK to lie.
@cybergibbons Except this works for all of 20 minutes until the guy books *the exact same train as us* and makes us write the report on the train with him overseeing. It was an absolutely miserable journey.
@cybergibbons In the end we wrote a draft report that said what he wanted (big thanks to my colleague who fielded most of this while I tried not to vomit from travel sickness) and then management rescinded it officially.
@cybergibbons It was revealed during one of these meetings that BC had set up his own PCI certified testing organisation to rubber-stamp the company's own PCI DSS assessments.
@cybergibbons You'd think this is genius but it turned out that he got the idea from his predecessor who did the same thing, got caught by Visa, and was fired.
@cybergibbons I don't know the full details of what happened after this. I know Visa found out. I know he doesn't work in that position any more. 🙃
@cybergibbons This is by far the worst test I've ever been on. I've worked with some grumpy, ignorant, exhausting, and downright annoying clients, but this one was an order of magnitude worse than any other. Management blacklisted the client for a year.
@cybergibbons (or at least I think they did? I remember we didn't have anyone doing work for them for a very long time)
@cybergibbons It's probably a good thing this happened so early in my career. I had a much greater capacity for bullshit back then. Towards my later days of pentesting I probably would have flipped tables.
