Penetration Testing SSL VPNs

Hi, sorry for being silent these last seven months. We had a surge in work and we put the blog on hold. We are back now.

Last week two clients asked us about testing SSL VPNs. Today I want to discuss what we look for in a SSL VPN penetration test.

We perform two types of checks on SSL VPNs:

• Can the security of the SSL VPN be compromised?


• Are the security features in the SSL VPN adequate and correctly configured?

Compromise the security of the SSL VPN

1. Can an adversary add fake users or reset passwords without authorization?


2. Can an adversary change the access rights of others without permissions?


3. Can an adversary delete audit logs or fake them?


4. Can an adversary deny access to other users?


5. Can an adversary escalate privileges and become an administrator?


6. Can an outsider bypass the authentication system?


7. Can an adversary change group memberships of himself or others?


8. Are login credentials cached on the browser, or visible in memory?

Adequacy of Security features

1. How powerful are the audit trails?


• Is it adequate to detect the attacks from the pen test?


2. What are the identification schemes supported?


• In addition to user identity, does the VPN also support identification based on IP-addresses, certificates, etc?


3. Does the VPN check for integrity of the endpoint?


• Does it check for missing patches, outdated virus signatures, etc?


4. How granular is the authorization scheme?


• Can authorizations be made at the servers, applications, URLs, folders level?


5. How are session data protected at the end point?


• Are session data (like cache, cookies) deleted on logout?

If you have more ideas, we are eager to hear that. Please post them as comments to this post.

Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.

Add yours.closed for this post.