Web App Hacking Methodology

Web app pen testing:

Info gathering:

=Allowed and disallowed directories

=Issues of web app structure error pages produced

=retrieve and analyse robots.txt file using tools like GNU wget

=Use advanced "site:" search op, and then click "cache" to perform search engine recon

=Cookie info, 300 http and 400 status codes, 500 internal server error

=use tools such as Burp Suite, OWASP, TamperIE, TamperData

=web apps, old versions of files or artifacts

=probe for URLS, do dictionary-style searching (intelligent guessing) and perform vuln scanning using Nmap and nessus

=web server software version, scripting enviroment and OS in use

=Use techniques such as DNS zone transfers, DNS inverse queries, web based DNS searches, querying search engines (googling)


Info gathering continued:

=Software versions, details of databases, bugs and technological components

=Analyse error codes by requesting invalid pages and utilisealternate request methods (POST/PUT/other) in order to collect confidential info from the server

=Web app enviroment

=Examine source code from the accessible pages of the app front-end

=Provide clues to the underlying app enviroment

=Test for recognised file types/extensions/directories by requesting common file extensions such as .ASP, .HTM, .PHP, .EXE and watch for any unusual output or error codes

=Web app services and associated ports

=Perform TCP/ICMP and service fingerprinting using traditional fingering tools such as nmap or more recent app fingerprinting tool Amap.


Configuration Management Testing:

=disclosure of confidential info

=source code of the app

=info in source code, log files, and default error codes

=Confidential info about access credentials

=Source code, installation paths, passwords for apps and databases

=Admin interfaces can be found to gain access to admin functionality

=credentials of legtimate users

Conclusion:

-Identify the ports associated to SSL/TLS wrapped services using NMAP and nessus

-Perform network scanning and analyse the web serer banner

-Test the app config management using CGI scanners and reviewing the contents of the web server, app server, comments and  config and logs

-Review source code, enumerate app pages and functionality

-Perform directory and file enumeration reviewing server and app documentation etc, to test for infrastructure and app admin interfaces

-Review OPTIONS HTTP method using Netcat and Telnet


Authentication Testing:

=Password, authentication weakness

=Authentication vuln

=Authentication vuln

=multiple factors authentication vuln

=Race conditions

Conclusion:

-Try to reset passwords by guessing, social eng or cracking secret qs

Check if "remember by password" mechanism is implemented by checking the HTML code of login page

-check if it possible to "reuse" a session after logout, also check if the application automatically logs out a user when the user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache

-Identify all parameters that are sent in additiona to the decoded CAPTCHA value from the client to the server and try to send an old decoded CAPTCHA value with an old CAPTCHA ID of an old session id

-Check if users hold a hardware device of some kind in addition to the password. Check if hardware device communicates directly and independently with the authentication infrastructure using an additional communication channel.

-Attempt to force a race condition make multiple simultaneous requests while observing the outcome for unexpected behaviour. Perform code review.


Session Management Testing:

=Cookie tampering results in hijacking the sessions of legtimate users

=Cookie info to hijack a valid session

=Collect suffiecient number of cookie samples, analyse cookie generation algorithm and forge a valid cookie in order to perform the attack

=Attacker could steal the user session (session hijacking)

=Test for cookie attributes using intercepting proxies such as webscrab, burp suite, OWASP zap

=Confidential info of session token leads to a replay session attack

=to test for session fixation, make a request to the site to be tested and analyse vuln using webscarab tool

=test for exposed session variables by inspecting encryption & reuse of session token, proxies and caching, GET & POST, and transport vuln

=compromises end user data and operation or entire web app

=Examine the URLs in the restricted area to test for CSRF


Authorization Testing:

=Access to resources /functionality allowing a privilege escalation attack

=Test for path traversal by performing input vector enumeration and analyzing the input validation functions present in the web app

=Can gain illegal access to reserved functions/resources

=Test for bypassing authorisation schema by examining the admin functionalities, to gain access to the resources assigned to a different role

=Use web spidering tool

=Access to resources /functionality allowing a privilege escalation attack

=Test for role/privilege manipulation


Data Validation Testing:

=Session cookie info

=Sensitive info such as session authorisation tokens

=Cookie info

=Info on DOM based cross site scripting vuln

=Database info

=Sensitive info about users and hosts


Conclusion:

-Detect and analyse input vectors for potential vuln , analyse the vuln report and attempt to exploit it. use tools such as OWASP cal900, Webscarab, XSS-proxy, ratproxy, and burpsuite

-Analyse HTML code, test for stored XSS, leverage stored XSS, verify if the file upload allows setting arbitrary MIME types, using tools such as OWASP cal900, Hackvertor, XSS-proxy, backframe, webscarab, burpsuite, XSS assistant

-Perform source code analysis to identify Javacript coding errors

-Analyse SWF files using tools such as SWFintruder, Decomplier-flare, complier - MTASC, Disassembler-Flasm, SWFmill and debugger version of plash plugin/player

-Perform std SQL injection testing, union query SQL injection esting, blind sql injection testing and stored procedure injection using tools such as OWASP SQLix, SQLninja, SQL power injector

-Use a trial and error approach by inseting '(', '|', '&', '"' and other characters in other to check the app for errors, use the tool softerra LDAP browser


Data Validation Testing Continued:

=Info on SQL injection vuln

=Info about XML structure

=Web Server CGI enviroment variables

=Access confidential info

=Access to backend mail server


Conclusion:

-Discover vuln of an ORM tool and test web apps that use ORM. Use tools  such as hibernate ORM, Nhibernate, and ruby on rails

-Try to insert XML metacharacters

-Find if the web server actually supports SSI directories using tools such as burp suite, OWASP ZAP, webscarab

-Inject Xpath code and interfere with the query result

-Identify vuln parameters. Understand the data flow and deployment structure of the client and perform IMAP/SMTP command injection


Data Validation Testing Continued:

=input validation errors

=Local data and system info

=Stack and heap memory info, app control flow

=Server config and input validation schemes

=Cookies and HTTP redirect info


Conclusion:

-Inject code (a malicious URL) and perform source code analysis to discover code injection vuln

-Perform manual code analysis and craft malicious HTTP requests using | to test for OS command injection attacks

-perform manual and automated code analysis using tools such  ollybdg to detect buffer overflow condition

-Upload a file that exploits a component in the local user workstation, when viewed or downloaded by the user, perform XSS and SQL injection attack

-Identify all user controlled input that influences one or more headers in the response, and check wheather he or she can successfully  inject a CR+LF sequence in it


Denial of service testing:

=App info

=Crafy a query that will not return a result and inclices several wildcards. Test manually or employ a fuzzer to automate the process

=Login acc info

=Test that an account does indeed lock after a certain number of failed login. Find places where the app discloses diff between valid and invalid login

=Buffer overflow points

=Perform a manual source code analysis and submit a range of inputs with varying lengths to the app

=Maximum number of objects that application can handle

=Find where the number of submitted as a name/value pair might be used by the application code and attempt to set the value to an extremely large numeric value, then see if the server continues to respond


Denial of service testing continued:

=Logical errors in an app

=Enter an extremely large number in the input field that is used by the app as a loop counter

=Use a script to automatically submit an extremely long value to the server in the request that is being logged

=Local disks exhaustion

=Programming flaws

=Identify and send a large number of requests that perform a database operations and observe any slowdown or new error messages

=Session management errors

=Create a script to automate the creation of many new sessions with the server and run the request that is suspected of caching the data within the session for each one


Web Services Testing:

=info of UDDI, WSDL, SOAP and UBR

=WSDL entry points

=XML parser

=info about SQL, Xpath, buffer overflow, and command injection vuln

=Http GET/REST attack vectors

=SOAP message info

=info about MITM vuln

Conclusion:

-to gather WS info use toold such as WSchess, soaplite, CURL , etc and online tools such as UDDI broswer and Xmethods

-Use tools such as WSdigger, webscarab and foundstone to automate web services security testing

-Pass malformed SOAP message to XML parser or attach a very large string to the message. Use WSdigger to perform automated XML structure testing

-Use web app vuln scanners such as webscarab to test XML content-level vuln

-Pass malicious content on the HTTP GET strings that invoke XML apps

-Craft an XML document (SOAP message) to send to a web service that contains malware as an attachment to check if XML document has SOAP attachement vuln

-attempt to resend a sniffed XML message using Wireshark and web scarab


AJAX testing:

=AJAX app call endpoints

=XMLHttpRequest object, Javascript files, AJAX frameworks

= Format of app requests


Conclusion:

-Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax

-Observe HTML and Javascript files to find URLs of additional app surface exposure

-Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the AJAX end points in order to determine the formate and destination of the requests


Web app pen testing framework: