LTR101: WebAppTesting - Methods to the Madness
Following my post on Web Application Testing Methodologies , I received a lot of feedback and requests to elaborate more on the methodology. As it is geared towards pentesters, some newbies might not understand what things are or what tools can be used to achieve the goal.
I have tried my best to outline tools for each stage of methodology below and further reading for each. Additionally breaking down each stage with more information on how to do each check has been requested by several folks; these will make up future posts otherwise this will end up being massive!Buckle up, it's going to be a long one ladies and gentlemen... Recon Tooling Utilize port scanning -Don't look for just the normal 80 and 443 - run a port scan against all 65536 ports. You'll be surprised what can be running on random high ports. Common ones to look for re:Applications: 80,443,8080,8443,27201. There will be other things running on ports, for all of these I suggest ncat or netcat OR you can roll your own tools, always recommend that! Tools useful for this: nmap , masscan , unicornscan Read the manual pages for all tools, they serve as gold dust for answering questions. Map visible content Click about the application, look at all avenues for where things can be clicked on, entered, or sent. Tools to help: Firefox Developer Tools - Go to Information>Display links. Discover hidden & default content Utilize shodan for finding similar apps and endpoints - Highly recommended that you pay for an account, the benefits are tremendous and it's fairly inexpensive. Utilize the waybackmachine for finding forgotten endpoints Map out the application looking for hidden directories, or forgotten things like /backup/ etc. Tools: dirb - Also downloadable on most linux distrobutions, dirbuster-ng - command line implementation of dirbuster, wfuzz , SecLists . Test for debug parameters & Dev parameters RTFM - Read the manual for the application you are testing, does it have a dev mode? is there a DEBUG=TRUE flag that can be flipped to see more? Identify data entry points Look for where you can put data, is it an API? Is there a paywall or sign up ? Is it purely unauthenticated? Identify the technologies used Look for what the underlying tech is. useful tool for this is nmap again & for web apps specifically wappalyzer . Map the attack surface and application Look at the application from a bad guy perspective, what does it do? what is the most valuable part? Some applications will value things more than others, for example a premium website might be more concerned about users being able to bypass the pay wall than they are of say cross-site scripting. Look at the application logic too, how is business conducted? Access Control Testing Authentication
Check cookie scopeIs the cookie scoped to the current domain or can it be stolen, what are the flags set> is it missing secure or http-only? This can be tested by trapping the request in burp and looking at the cookie.
本文网络安全相关术语:网络安全工程师 网络信息安全 网络安全技术 网络安全知识