Collection of problems in production systems while pen-testing - "Butterfly effect"

["Adriano Leite (DHL CZ)" <Adriano.Dias.Leite () dhl com>]

Gents,
Since I haven't seen anything like that before, I would like to open a
discussion on what problems you have caused on production environment while
performing pen-testing. 

> From the e-mail of our colleague Brahnda sent few days ago, I see that small
unpredictable situations might rise even when we thing everything is under
control. :)

It would be nice to hear your "issues", maybe we can use the mail thread as
a checklist in the future to not cause any chain (Butterfly effect) problems
when performing pen tests.

Below I list some unexpected situations myself and colleagues witnessed
throughout our careers, when being pen/stress-tested by third parties:

- Scanning of web application with automated tools: Some pages can contain
forms for e-mail submittal. If SQL Injection brute force attack is performed
in such a page, you can either clog a vital business mailbox with trash, or
cause a DoS if smtp relay crashes. 
- Port scanning of production servers - some IP stacks are not able to
handle even "simple" port scans. Services can hang (RPC in our case). Issues
are known with AS/400, HPUX and Solaris OS.
- stress-testing using windows XP: I once got a report from a Microsoft
Certified Partner that our e-commerce website couldn't handle more than 100
connections simultaneously. After sending developers, network architects and
security specialists to verify what was happening, it was found that the
operation system used for the scan was windows XP, which couldn't handle
more than 10 connections at once... and yes, the guy was MCSE... :) 


It is always good to share experiences, even the bad ones :)

Adriano

Attachment: smime.p7s
Description: