Being able to quickly knock out the low hanging fruit vulnerabilities as a pen-tester is a matter of having a knowledge of their existence and finding quick ways to check for them. Here are a few quick hit, low hanging vulnerabilities that could provide the biggest kickoff point when doing an investigation.
Swagger Will not StopNot that kind of swagger. Swagger pages exist on API’s to help assist the development team with things like form, design, deployments, and testing new functionalities. A swagger page provides a lot of quick hit information for anyone malicious looking to exploit your website. Any modern application scanner should be able to detect an unprotected swagger page. Even if you do not have an scanning solution at your helm, simply typing “swagger.io” alongside the website name in Google to can expose if there is an open swagger page associated with a particular site.
Another quick hit that should be incorporated into every pentesting catalog is a check for open ports. Why make it harder to get in to a network, when you could simply check for ports left open? A good example of these would be port 22; if left open, it could allow you direct access into the server itself. Get a good comprehensive list of known open ports and a quick way to scan for them. A very useful automated tool that can be used to accomplish port identification is NMAP. It is a Linux command line tool that enumerates available open ports and prints back the results to you in an easy to read format. There is also GUI interface version as well called Zenmap.
Misconfigurations or outdated OS patches
Lastly, being able to identify the underlying operating system will give you a starting point for investigating that OS patch level’s known exploitable vulnerabilities. In the long term, you will start to get the feel for different OS patches. It will come second nature to test for an Apache struts vulnerability or a memory corruption vulnerability on a Windows XP server.
Overall, these are three quick points that should also be covered in any pentesting engagement—regardless of whether you are performing the test or paying someone to do one on your infrastructure/application. Any experienced pentester will be able to list some of these examples off the top of his or her head.