This blog post is the first in a series of posts about the world of web app penetration testing. What you are reading now is but an introduction aiming to introduce the aspiring pentester to essential knowledge and tools. Although further articles addressed to more experienced pentesters will follow, this series should be used as a quick reference and by no means is to be used as a substitute of a formal classroom environment, and most importantly hands-on experience.
Below are listed the phases we are going to describe:
– Phase 1: Planning
– Phase 2: Scoping
– Phase 2: Assessing Stages
– Phase 3: Exploitation
Phase 1: Planning
First, we have to identify the type of the test we are going to perform; in plain English, what we are aiming for. Then we model all our actions.
According to the aforementioned these are our options:
- Web Penetration Testing (Includes Proof of Concept, not good for production systems).
- Vulnerability Assessment (Does not include Proof of Concept, does cover important issues).
Note: The difference between a vulnerability assessment and a web application penetration test is that in penetration testing we provide proof of concept, meaning actually penetrating the company web applications and extracting costumers valuable data. While vulnerability assessment is only assessing security without actually penetrating the Web application.
Phase 2: Scoping
When we have planned our web pentest and identified the goals, then we can proceed with scoping. e.g. are we going to restrict our testing to only one domain? Do we want to exploit certain functionality? Are we interested in coverage? etc.
The following steps would have to be followed in order to scope the target:
– Define Web Application Attack Surface
– Identify the scoped URL(s)
– Identify the scoped functionality
Phase 2: Assessing Stages
A Web Application penetration test has significant differences compared to a network penetration test, with varying levels of complexity. Below are the stages you should follow to pen test a web application:
- Map Web Application
- Identify functionality and technologies used
Map Web Application
When mapping a Web Application, we usually go through the following steps:
- Exploring visible content (e.g. all linked content)
- Exploring non-visible content (e.g. all non-linked content)
Exploring visible content
When performing exploration of the visible consent we are simply browsing through the application and record the identified links. This can be achieved with the following tools:
For the more advanced amongst you this can also be achieved using a programming language such as python or Go. For more information see the following web crawlers:
Exploring non-visible content
By using the term exploring non-visible content we mean all default, dynamic and non-linked content. How? Simply by using a technique named forced browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.
Open Web Application Security Project (OWASP) has a very well written guide on how to perform forced browsing [here]
The tools we can use for this purpose are as follow:
- [Burp Suite Professional Web Proxy]
- [Burp Suite Free Edition Web Proxy] (Content discovery plug-in)
- [ZAP Web Proxy] (Content discovery plug-in)
- [DirBuster]
- [dirsearch]
Identifying Functionality and Technologies Used
The functionality we usually focus on when performing a Web App test includes but is not limited to the following generic functions:
- Login/Logout functions
– Password ageing
– Password recovery
– Password expiration
– Password reset
– Password lockout mechanism
- Data submission functions
– Data form submission sanitization
- Session creation
– Randomness
– Session length
- Session termination
– Soft timeouts
– Hard timeouts
– Idle timeouts
- Third party cross domain referenced code functionality
- Privilege management
– Assess privilege handling
Phase 3: Exploitation
Web Application exploitation should take into consideration if it is a production system, the goals of the Web Application penetration test and the amount of time to be dedicated to exploitation effort. But first we would have to identify the exposed components of the web application that can be PoC’ed.
The following sections focus on these elements.
Exploiting Authentication Mechanisms
Go through the whole authentication mechanism:
– Test password and username security policies
– Test lock out mechanisms
– Run an online login brute force attack
– Perform user enumeration using the responses from the server
– Test for auto generated credentials predictability
– Test for unsafe credential transmission
– Test Session Management Mechanism
The proposed OWASP Top 10 testing guide references for authentication validation are:
– Testing for Session Management Schema (OWASP-SM-001)
– Testing for Cookies attributes (OWASP-SM-002)
– Testing for Session Fixation (OWASP-SM-003)
– Testing for Exposed Session Variables (OWASP-SM-004)
Exploiting Account Access Controls
As a basic test look for broken links after mapping all type user content (e.g. access variables with high user account privileges simply by guessing URL ID’s).
More specifically look for:
– Testing for bypassing authorization schema (OWASP-AZ-002)
– Testing for Privilege Escalation (OWASP-AZ-003)
– Business Logic Testing (OWASP-BL-001)
– Testing for Cross Site Request Forgery (OWASP-SM-005)
Exploiting Input Based Vulnerabilities
Input validation has to do with how the user supplied input is handled by the target application, the most basic types of validation, can be summarised in the following type of attacks:
– SQL Injections
– Cross Site Scripting Attacks
– Cross Request Forgery Attacks
– XML Injections
The proposed OWASP Top 10 testing guide references for input validation are:
– Testing for Reflected Cross Site Scripting (OWASP-DV-001)
– Testing for Stored Cross Site Scripting (OWASP-DV-002)
– Testing for DOM based Cross Site Scripting (OWASP-DV-003)
– Testing for Cross Site Flashing (OWASP-DV-004)
– Testing for SQL Injection (OWASP-DV-005)
– Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)
– Testing for path traversal (OWASP-AZ-001)
This concludes the first blogpost in this Penetration Testing series. More articles that will delve a bit deeper in the art of Penetration Testing and the resources needed to perform it will follow in due time.