The State of Pentesting 2023 Report

Disruption, transformation, volatility — whichever keyword fits your style, it all points to one fact: change is the constant for security teams.

How do security teams plan to protect assets with fewer resources and more responsibilities?

Cobalt's 5th edition of The State of Pentesting explores this question, tapping into data from 3,100 pentests and over 1,000 responses from security practitioners in the United States, the United Kingdom, and Germany.

Here's What You'll Learn:

Top vulnerabilities, security challenges, and pentesting trends
How layoffs and budget cuts impact organizations' security postures
What security teams plan to outsource and/or deprioritize to better manage growing workloads
How to prepare your team and environment for a productive and in-depth pentest

1Cross-Site Scripting (XSS) Stored

This is a type of injection attack. Any feature that allows user input can be vulnerable because it gives attackers an opportunity to inject and store malicious scripts into web applications. The next time a user pulls up data that includes the attacker’s input, their browser attempts to run the malicious code.

GET THE REPORT
2Components with Known Vulnerabilities: Outdated Software Version

Using outdated software versions can leave you vulnerable to serious attacks, such as remote code execution with the recently discovered Log4j flaw. If you don’t have the latest version of Apache’s logging software, you have a vulnerability in your systems described as “a severe risk” by the Cybersecurity and Infrastructure Security Agency. And this is one of thousands of examples.

GET THE REPORT
3Broken Access Control: Insecure Direct Object References (IDOR)

IDOR can give access to resources via user-supplied input when attackers modify a value of a parameter that points directly to an object in your database. This flaw has the potential to give attackers access to personally identifiable information, which later enables identity theft, fraud, or blackmailing.

GET THE REPORT
4Server Security Misconfiguration: Lack of Security Headers

Security headers can help mitigate different attacks, such as Clickjacking, XSS, and encryption-related downgrade attacks. They can also strengthen privacy by enabling users to use their browsers’ security features such as disabling access to their webcam or microphone. Missing these configurations puts your operations and customers at risk.

GET THE REPORT
5Server Security Misconfiguration: Insecure SSL and TLS Protocols

If teams use the SSL or TLS 1.1 protocols, their encryption is not secure. Attackers with a Man-in-the-Middle (MITM) position can break into older secure communication channels and attempt to decrypt the information. Some configurations also allow an attacker to downgrade communication from a stronger cipher suite to one that they can crack.

GET THE REPORT

1Cross-Site Scripting (XSS) Stored

This is a type of injection attack. Any feature that allows user input can be vulnerable because it gives attackers an opportunity to inject and store malicious scripts into web applications. The next time a user pulls up data that includes the attacker’s input, their browser attempts to run the malicious code.

GET THE REPORT

2Components with Known Vulnerabilities: Outdated Software Version

Using outdated software versions can leave you vulnerable to serious attacks, such as remote code execution with the recently discovered Log4j flaw. If you don’t have the latest version of Apache’s logging software, you have a vulnerability in your systems described as “a severe risk” by the Cybersecurity and Infrastructure Security Agency. And this is one of thousands of examples.

GET THE REPORT

3Broken Access Control: Insecure Direct Object References (IDOR)

IDOR can give access to resources via user-supplied input when attackers modify a value of a parameter that points directly to an object in your database. This flaw has the potential to give attackers access to personally identifiable information, which later enables identity theft, fraud, or blackmailing.

GET THE REPORT

4Server Security Misconfiguration: Lack of Security Headers

Security headers can help mitigate different attacks, such as Clickjacking, XSS, and encryption-related downgrade attacks. They can also strengthen privacy by enabling users to use their browsers’ security features such as disabling access to their webcam or microphone. Missing these configurations puts your operations and customers at risk.

GET THE REPORT

5Server Security Misconfiguration: Insecure SSL and TLS Protocols

If teams use the SSL or TLS 1.1 protocols, their encryption is not secure. Attackers with a Man-in-the-Middle (MITM) position can break into older secure communication channels and attempt to decrypt the information. Some configurations also allow an attacker to downgrade communication from a stronger cipher suite to one that they can crack.

Unlock the State of Pentesting 2023! Explore 3,100 pentests with expert insights on vulnerabilities, security challenges, & maximizing pentest value.

Top Findings for 2022

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

1Cross-Site Scripting (XSS) Stored

GET THE REPORT

2Components with Known Vulnerabilities: Outdated Software Version

GET THE REPORT

3Broken Access Control: Insecure Direct Object References (IDOR)

GET THE REPORT

4Server Security Misconfiguration: Lack of Security Headers

GET THE REPORT

5Server Security Misconfiguration: Insecure SSL and TLS Protocols

GET THE REPORT

Download the Report for the Full Picture

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

Unlock the State of Pentesting 2023! Explore 3,100 pentests with expert insights on vulnerabilities, security challenges, & maximizing pentest value.

Top Findings for 2022

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

1Cross-Site Scripting (XSS) Stored

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

2Components with Known Vulnerabilities: Outdated Software Version

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

3Broken Access Control: Insecure Direct Object References (IDOR)

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

4Server Security Misconfiguration: Lack of Security Headers

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

5Server Security Misconfiguration: Insecure SSL and TLS Protocols

GET THE REPORT hbspt.cta._relativeUrls=true;hbspt.cta.load(2689945, 'da0c839c-7725-4074-9e76-c696d96f542d', {"useNewLoader":"true","region":"na1"});

Download the Report for the Full Picture

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

This is a title

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT

GET THE REPORT