Following the previous blogpost of this series regarding entry level resources for penetration testing, we are going to proceed with a list of referenced material focusing on web application penetration testing. Mainly, some handy Burp Extensions, resources for reading, and popular blogs, will be presented indicating useful content to build on, in order to increase your understanding on these areas.
Web Application Penetration Testing – Burp Extender modules
Following the previous post familiarising you with Burp Suite, we would like to highlight some useful Burp Extender modules as the next step of your Penetration Testing quest. Burp Extender is a Burp Suite Pro feature, which allows the tester to use several software modules as an extension to the default Burp Installation. More details about Burp Extender and its capabilities can be found here.
Logger ++ is a module allowing you to log HTTP request and responses from all Burp toolset, and also to perform extensive filtering, troubleshooting and investigation as part of your security verification or reporting phase.
Java Deserialization Scanner is another plugin allowing the detection and potential exploitation of Java Deserialization vulnerabilities. It integrates very smoothly with the Burp interface (quite similar to Burp Intruder), and essentially weaponizes ysoserial tool, in order to semi automate the scan of potentially vulnerable parameters and Java object manipulation.
Active Scan++ essentially extends the default Burp Suite scanning feature. It may scan passively and actively during the engagement, and integrate with the target findings to present you various findings like input validation or detect popular CVEs potentially affecting the application.
Probably the handiest authorization check module for Burp Extender. Lately it started to incorporate authentication tests too.
A module to detect Java Script components with known-vulnerabilities and integrate the findings with Burp Target results.
Despite that there are no latest updates, the scanner already incorporates useful features for detailed upload testing.
Collborator Everywhere is another extension brought to introduce non-invasive headers to enforce interaction of the backend with Burp Collaborator
Leaving tools aside, in order to increase your understanding on the bugs that you are looking for, OWASP active projects are an exceptional resource for proceeding into methodological security testing aspects. Some of these resources that you might find helpful are listed below:
OWASP Testing Guide v4
OWASP ASVS v4.0.
OWASP CheatSheet Series
Web App Security Testing Cheat sheets
Having established basic knowledge on the application security testing, you might want to organize your web app cheat sheets to make your life easier, and retrieve valuable information and payloads when you need them. Some handy blogs for that are the following:
For a plethora of payloads regarding different web security testing needs, payload-all-the-things is highly recommended
Smaller scale cheat sheets that you can use to organise integrate on your own cheat sheet are the following ones:
Web Security Research
Furthermore, after you have gained a solid understanding on entry and moderate level topics of web application security, you might want to expand your knowledge and awareness by going through active blogs of security researchers. Some blogs presenting current state of the art research on web application security, demonstrating new approaches on web application vulnerabilities detection and exploitation are the following:
In the news
To keep up with the news and security updated we highly recommend the following reddit communities:
Finally for book eaters, some recommended reading is the following:
Real World Bug Hunting – Peter Yaworski
The Web Application Hacker’s Handbook 2nd edition – Dafydd Stuttard, Marcus Pinto
Web Hacking 101 – Peter Yaworski
The Tangled Web: A Guide to Securing Modern Web Applications – Michael Zalewski
The Browser Hacker’s Handbook – Wade Alcorn, Christian Frichot, Michele Orru
This concludes the second blogpost in this Penetration Testing Series. You can always check out the first one to get the basics. Coming soon the third and final article focusing on, you guessed it, advanced resources for penetration testing.