A Security Flaw I Didn't Expect To Find.

Recently, I was asked by an associate of mine to accomplish a vulnerability assessment on his recently published web app and website. I agreed. We came to an official agreement and hashed out the plan of action. There was to be no penetration tests. We defined this as-- I wasn't going to attempt to break anything, exploit any of the vulnerabilities found, or in any way brute force anything. We decided I would foot print his network with Maltego, then run some standard vulnerability scans using industry tools. In this case, I picked Mozilla Observatory, OpenVas(I don't have enough free IP's on Nessus community edition) Masscan, and finish up with Qualys. So I began. It went surprisingly well. He had his ports locked down, TLS with PFS ciphers, SSH using keys, and mostly looked pretty squared away--Or so I thought. At the end of these scans, I talked to him about one last check. I wanted to run his website through Burp Suite crawl and audit. I didn't expect to find much since everything else was GTG. I was wrong. After plugging in the credentials and configuring a "light active" and "Java script" audit, I got about 10 minutes into the crawl. That timer went from 20 mins left to 5 hrs and errors started stacking. His node.js server hung and crashed. So I hit him up on messenger with essentially, "Hey man, your server crashed at this time. let me see your logs." What reply did I get? 'Sorry man. I don't have that function enabled yet and I don't have an error handler.' Now, this was a simple fix. It's as good as done. Yet the lessons that I learned were crucial.

1. Don't assume that just because they nailed the tough stuff, they nailed the easy stuff.
2. Halo effect in cyber security is real. - Just because someone has been doing something longer and at a higher level than you, doesn't mean they are supernatural and impervious to mistakes.
3. Burp is sweet. No seriously it's a great tool.
4. Communication is key. Having the ability to instantly hit him up and figure out a path forward was crucial in resolving this issue quickly.