03. 07. 2025 Federico Corona Red Team, SEC4U

Security Assessment: More Than a Test… A Training Opportunity for the IT Team

When we talk about security assessments, the first thing that comes to mind is a snapshot of a company’s security posture: vulnerabilities, misconfigurations, uncontrolled access, and so on. But reducing these activities to a mere “test” means missing a key strategic opportunity: turning every assessment into the possibility of helping the internal IT team grow and improve.

An Underrated Educational Value

Each time an external team performs a penetration test, vulnerability assessment, or simulated attack (for example, based on MITRE ATT&CK), they produce a detailed report. This report is not just a list of issues, it’s a technical guide that explains how vulnerabilities were found, why they exist, and how they can be mitigated or prevented. In other words, it’s a highly valuable learning resource.

An attentive internal IT team can use this report to:

Understand design or development flaws that lead to vulnerabilities
Learn to think like an attacker by analyzing the techniques used to breach the system
Integrate secure development best practices into future workflows
Improve internal controls and threat modeling strategies

Real-World Example: From Reflected XSS to a New Development Checklist

During our assessments, we often come across critical vulnerabilities such as XSS or SQL Injection. Below is an example of a reflected XSS vulnerability identified in an unvalidated search form. The issue was exploited to execute a malicious script designed to steal the session token of a logged-in user.

Reflected XSS Vunerability

Severity: High
CVSS Score: 8.1
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Description:
During the assessment we found that JavaScript code could be injected into certain input fields of the web application. This vulnerability allows an authenticated attacker to execute arbitrary code in the victim’s browser by exploiting unsanitized parameters.

Proof of Concept:
The query parameter in the search URL could be exploited to inject a JavaScript payload:

https://{URL}/search?query=<script>alert('XSS')</script>

When this link was opened by an authenticated user, the script executed immediately in the browser context without any validation or sanitization.

Impact:
A reflected XSS attack can be used to steal session cookies, manipulate the UI, perform actions on behalf of the user, or deliver malware through obfuscated payloads.

Mitigation:
The team was provided with a series of practical recommendations, including:

Server-side input sanitization: removing dangerous characters like <, >, “, and ‘ in a centralized and consistent way across the application
Context-aware output encoding: depending on whether the user input is rendered in HTML, an attribute, or a script, the appropriate encoding must be applied to prevent execution
Avoid dangerous JavaScript functions like innerHTML, document.write, or eval, and prefer safer alternatives such as textContent or setAttribute
Implement a basic Content Security Policy (CSP), for example:
default-src 'self'; script-src 'self'; object-src 'none';
Targeted internal training: using this concrete case to reinforce understanding of key concepts such as input validation, output encoding, and CSP

Follow-up Actions Taken by the IT Team

Created a security checklist for HTML forms during development
Introduced automated security tests into the CI/CD pipeline
Conducted internal training focused on input validation and output encoding

The result? In subsequent releases, not only were no new XSS vulnerabilities found, but the team began proactively assessing the risks associated with user input. This single finding raised the overall security posture of the entire application stack.

From Assessment to a Structured Security Approach

The real objective of a security assessment should not be merely to “pass the test”, but to establish a structured and repeatable approach to security. An IT team that actively addresses identified vulnerabilities, participates in technical debriefs, and integrates recommended mitigations is building a solid and resilient risk management methodology.

Instead of passively undergoing testing, the IT department can leverage it as a tool for self-analysis and continuous learning. As a result, the company:

Reduces long-term risks
Lowers the cost of security (fewer incidents = fewer urgent interventions)
Builds a more skilled, proactive, and security-aware team

Conclusion

Security is never just about technology. It’s about process, awareness, and culture. And every well-executed security assessment is an opportunity to strengthen all three.

For this reason, every company should view an assessment not as a box to check, but as a hands-on training session, tailored to its own systems, its own code, and its own people.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.