The methodology is based on the Web Application Hacker’s Handbook 2nd Edition with some additional modification and adjustment. It is intended for grey-box testing of a web application for 2 weeks of engagement. You can use it for your testing, however, I would recommend creating sth similar for yourself just to establish the defined methodology for the web pentest. Let’s get started:
Day 1:
To complete:
I. Mapping Application
- Explore Visible Content with passive spidering
- Review the webroot dump for the public resources, review the docs, and design diagrams.
- Enumerate API endpoints/function for the testing
- Test for Debug enabled. Check for debug=true, use any of the common values such as - debug, test, hide, a source with the common values such as - true, yes, on 1. Use those values in parameter, header, and body.
II. Analyze the Application
- Identify Functionalities (in scope)
- Identify Data Entry Points
- Identify Technologies Used.
- Map the attack surface
- For each functionality identify the kinds of vulnerabilities associated with it.
- Create the plan of the attack with prioritization for a given time.
Update to the team:
- Completed actions,
- Possible issues identified,
- Possible blockers,
- Plan for the attack,
Day 2:
To Complete
III. Client-Side Controls
- Identify all hidden forms, fields, cookies, parameters. Determine the purpose and logic of the hidden value.
- Modify the hidden values according to there purpose.
- Attempt to decipher, deobfuscate hidden values.
- Verify that client limitation are also in place. Confirm whether the application relies on client-side controls for the input check.
- If you find disabled HTML input, try to send them in the repeater.
- If browser extension is required, apply additional testing for that.
- For the identified endpoint identify if different HTTP methods can be used. Identify if HTTP methods can be overwritten.
IV. Test Authentication Mechanism
- Locate all authentication-related mechanisms (login, registration, recovery)
- Test password quality (rules of the password, test if the password validation is complete). Determine the probability of success in the brute-force attacks.
- Test for Username Enumeration. Where the application expects the username, submit one valid and one invalid, and observe the differences.
- Check for account lock-down policy
- Test account recovery function. Check how it works, if there is a challenge as a secret question, harvest the list of questions and check for predictable answers. If it involves sending an email, check it is possible to control any of the parameter (SMTP part, URL parameters)
- Test remember me function. Inspect all persistent cookie - try to tamper the cookie, compare the results of remembering several accounts.
- Test any impersonation function. Try to use the functionality for privilege escalation.
- Test username uniqueness. It may allow enumerating valid usernames. If the collision is allowed, try to hijack other user’s accounts.
- Test the credential transmission (non-TLS, URL parameters, leakage by the Referer, if the credentials are stored in cookies)
- Check for credentials distribution ( if confirm URL must be clicked, register few accounts and check if the token is predictable)
- Test for fail-open when it is possible to edit password and log in.
- If the multistage mechanism in place, test it, proceed with all stages in a different sequence. Proceed directly to each stage and then continue the normal flow. Try skipping some stages. Think for further cases to push the staging to its limits.
- For multi staging, check if the parameter is submitted in different stages. Example username. Try to modify it, if that is possible to authorize as other users.
- For multi staging, if the application requires the challenge on any stage test the two common defects:
- If the challenge is sent with the user’s response with the same request try to set your challenge.
- Try submitting again the request generating the challenge, if it varies with every response you can set your challenge by repeatedly requesting the challenge.
V. Session Management Mechanism
- Analyze the mechanism used for session management, identify the item used to represent the user’s session. Check if the whole token is validated by modifying the single bytes.
- Analyze the token itself, entropy, correlation with username, different encoding.
- Check if the token appears to be CBC encrypted - use Bit Flip Burp Intruder
- Check for insecure transmission of the token - cookie without secure flag, non-TLS, URL param
- Login and logout several times to determine if the session token is dynamic
- If the JWT is used, try JWT vulns.
- If the cookie consists of any user part, try tampering it.
- Check if the application supports concurrent session by login in two different web browsers
- Check the session expiration ( Burp Intruder increment the time)
- Check if the logout function is effective. Attempt to reuse the old token.
- Check for session fixation. If the new token is generated after login or is it reused.
- Check for CSRF - missing anti-CSRF, also if exploit possible through a simple HTTP request.
- Check cookie scope’ing - if the parent domain is specified for authentication cookie.
Update to the team:
- Tests performed,
- Findings,
- Blockers
Day 3-4:
To complete:
VI. Access Control Testing:
- Build an understanding of the possible horizontal and vertical priv escalation.
- If there are vertical priv escalation possible, identified endpoints/functionalities accessible only to those privileged accounts. The use of the less privileged account to try to access those resources.
- For each user privilege, review resources available to a user. Attempt to access those resources from an unauthorized user account by replaying the request using the unauthorized user’s session token.
- Check if a user with the same privilege can access or modify the data belonging to other users with the same privileges.
- In multistage functionalities, check if other stages of the functionality correctly implement the access control.
- Test for insecure access control methods:
- Look for parameters such as edit=false or access=read in any key requests, and modify these in line with their apparent role to try to interfere with the application’s access control logic.
- Check if the Referer or Origin header is used for access control.
- In case some specific HTTP methods are blocked for a specific role for URL try the - X-Original-URL or different method of URL rewrite. Try the HEAD HTTP method if it is allowed by the webserver.
- Check for IDOR - Insecure direct object reference
Update to the team:
- Tests performed,
- Findings,
- Blockers
Day 5-6:
To complete:
VII. Input-Based Vulns
- If possible try to fuzz all parameters for:
- SQLi
- XSS and Other Response Injection (XSS Reflected/Stored, Header Injection, Open Redirection)
- Command Injection
- Path Traversal
- Script Injection
- File Inclusion
- Template Injection
- SSRF
- Use the Grep Burp function to look for specific values in the response or second-order page.
- Exploit the vulnerability of proofs.
- If fuzzing is not possible e.g. the application has the flow that cannot be abused.
- Identify the parameters/functionalities that may be specific to the vulnerability e.g. parameter “path” should be tested for File inclusion, SSRF, Path traversal.
- Once identify try the payloads specific to the “possible vulnerabilities” for the functionality.
- Exploit the vulnerability.
VIII. Test for Function-Specific Input Vulnerabilities
- Depending on the application mapping there are specific vulnerabilities that may exist in the web application.
- Test for those vulnerabilities:
- SMTP Injection
- Overflows and format string (for custom C/C++ web servers)
- SOAP Injection
- LDAP Injection
- XPath Injection
- SSRF
- XXE
- Test File upload (Upload web shell, upload EICAR, try extension blacklist/whitelist bypasses, try path traversal and XSS through filename, try XSS through uploading HTML file)
Update to the team:
- Tests performed,
- Findings,
- Blockers
Day 7-8:
To complete:
IX. Logic Flaws
- Identify the following features in the web application:
- Multistage process,
- Critical Security Functions e.g. login, password reset,
- Trust Boundaries ( from anonymous to self-registered to logged in)
- Context-based functionality e.g. withdrawing money
- Adjustment to fees, quantities, etc.
- Multistage process:
- Attempt to submit requests out of sequence. Try to skip some stages.
- Try to take parameters from the previous stage and send them in the next stage to interfere with the process and maybe modify some values.
- If the process involves the different users to submit something, try to submit the request as the current user.
- Try to determine the assumptions made by the developers in context-based function, try to abuse those,
- Test Handling Incomplete Input.
- For critical functions, test the application resilience on the incomplete request e.g. remove the parameter or value.
- Trust Boundaries:
- Check specific cases that would normally not occur when trust boundaries are changed: e.g. when performing the password reset, do not complete it but move directly to the auth user context.
- Try to determine if you could harness directly or indirectly higher privilege function
- Transaction Logic:
- Test negative values in the transaction, check how the application reacts.
- Identify if any fees can be manipulated by the user.
Update to the team:
- Tests performed,
- Findings,
- Blockers
Day 9:
To complete:
X. Misc Testing
- Find Vulnerable Components e.g. Burp Vulnerability Scanner.
- Examine Webserver Config e.g. Weak Tomcat creds.
- Examine Default Content on the webserver e.g. phpinfo
- Check for CORS Misconfiguration.
- Test TLS Config.
- If Websockets are being used, test for websocket hijacking.
- Test for HTTP Req Smuggling.
- Test for Web Cache Poisoning.
- Identify Cross-site leaks.
- If you have time, analyze statically JS files for DOM-based attacks.
- Identify all uses of the following APIS, which can be used to access DOM data via crafted URL: document.location, document.URL, document.URLUnencoded, document.referrer, window.location
- Check if the data from the user is passed to one of the following functions for DOM XSS: document.write(), document.wirteln(), eval(), window.execScript(), window.setInterval(), window.setTimeout()
- Check if the user data is passed to one of the following functions for redirections: document.location, document.URL, document.open(), window.location.href, window.navigate(), window.open()
- Check for postMessages() related XSS.
Update to the team:
- Tests performed,
- Findings,
- Blockers
Day 10:
To complete:
- Reporting
- Final call with the Development Team.