Web App Hacking Methodology

Web app pen testing:

• define objective
• info gathering
• Configuration management testing
• Authentication testing
• Session management testing
• Denial of service testing
• Data validation testing
• Business logic testing
• Authorization testing
• Web services testing
• AJAX testing
• Document all findings
  

Info gathering:

• Start
• Analyse the robots.txt file

=Allowed and disallowed directories

• Perform search engine recon

=Issues of web app structure error pages produced

=retrieve and analyse robots.txt file using tools like GNU wget

=Use advanced "site:" search op, and then click "cache" to perform search engine recon

• Identify app entry points

=Cookie info, 300 http and 400 status codes, 500 internal server error

=use tools such as Burp Suite, OWASP, TamperIE, TamperData

• Identify the web apps

=web apps, old versions of files or artifacts

=probe for URLS, do dictionary-style searching (intelligent guessing) and perform vuln scanning using Nmap and nessus

• Analyze the O/P from HEAD and OPTIONS http requests

=web server software version, scripting enviroment and OS in use

=Use techniques such as DNS zone transfers, DNS inverse queries, web based DNS searches, querying search engines (googling)

Info gathering continued:

• Analysis of error codes

=Software versions, details of databases, bugs and technological components

=Analyse error codes by requesting invalid pages and utilisealternate request methods (POST/PUT/other) in order to collect confidential info from the server

• Test for recognised file types/extensions/directories

=Web app enviroment

=Examine source code from the accessible pages of the app front-end

• Examine source of available pages

=Provide clues to the underlying app enviroment

=Test for recognised file types/extensions/directories by requesting common file extensions such as .ASP, .HTM, .PHP, .EXE and watch for any unusual output or error codes

• TCP/ICMP and service fingerprinting

=Web app services and associated ports

=Perform TCP/ICMP and service fingerprinting using traditional fingering tools such as nmap or more recent app fingerprinting tool Amap.

Configuration Management Testing:

• Start
• Perform SSL/TLS testing

=disclosure of confidential info

• Perform infrastructure config management testing

=source code of the app

• Perform app config management testing

=info in source code, log files, and default error codes

• Test for file extensions handling

=Confidential info about access credentials

• Verify the presence of old, back, and unreferenced files

=Source code, installation paths, passwords for apps and databases

• Test for infrastructure and app admin interfaces

=Admin interfaces can be found to gain access to admin functionality

• Test for HTTP methods and XST

=credentials of legtimate users

Conclusion:

-Identify the ports associated to SSL/TLS wrapped services using NMAP and nessus

-Perform network scanning and analyse the web serer banner

-Test the app config management using CGI scanners and reviewing the contents of the web server, app server, comments and  config and logs

-Review source code, enumerate app pages and functionality

-Perform directory and file enumeration reviewing server and app documentation etc, to test for infrastructure and app admin interfaces

-Review OPTIONS HTTP method using Netcat and Telnet

Authentication Testing:

• Start
• Test for vuln remember password and PWD reset

=Password, authentication weakness

• Test for logout and browser cache management

=Authentication vuln

• Test for CAPTCHA

=Authentication vuln

• Test for multiple factors authentication

=multiple factors authentication vuln

• Test for race conditions

=Race conditions

Conclusion:

-Try to reset passwords by guessing, social eng or cracking secret qs

Check if "remember by password" mechanism is implemented by checking the HTML code of login page

-check if it possible to "reuse" a session after logout, also check if the application automatically logs out a user when the user has been idle for a certain amount of time, and that no sensitive data remains stored in the browser cache

-Identify all parameters that are sent in additiona to the decoded CAPTCHA value from the client to the server and try to send an old decoded CAPTCHA value with an old CAPTCHA ID of an old session id

-Check if users hold a hardware device of some kind in addition to the password. Check if hardware device communicates directly and independently with the authentication infrastructure using an additional communication channel.

-Attempt to force a race condition make multiple simultaneous requests while observing the outcome for unexpected behaviour. Perform code review.

Session Management Testing:

• Start
• Test for session management schema

=Cookie tampering results in hijacking the sessions of legtimate users

• Test for cookie attributes

=Cookie info to hijack a valid session

=Collect suffiecient number of cookie samples, analyse cookie generation algorithm and forge a valid cookie in order to perform the attack

• Test for session fixation

=Attacker could steal the user session (session hijacking)

=Test for cookie attributes using intercepting proxies such as webscrab, burp suite, OWASP zap

• Test for exposed session variables

=Confidential info of session token leads to a replay session attack

=to test for session fixation, make a request to the site to be tested and analyse vuln using webscarab tool

=test for exposed session variables by inspecting encryption & reuse of session token, proxies and caching, GET & POST, and transport vuln

• Test for CSRF 

=compromises end user data and operation or entire web app

=Examine the URLs in the restricted area to test for CSRF

Authorization Testing:

• Start
• Test for path traversal

=Access to resources /functionality allowing a privilege escalation attack

=Test for path traversal by performing input vector enumeration and analyzing the input validation functions present in the web app

• Test for HTTP request tampering

=Can gain illegal access to reserved functions/resources

=Test for bypassing authorisation schema by examining the admin functionalities, to gain access to the resources assigned to a different role

• Test for cookie parameter tampering

=Use web spidering tool

• Test for privilege escalation

=Access to resources /functionality allowing a privilege escalation attack

=Test for role/privilege manipulation

Data Validation Testing:

• Start
• Test for reflected cross site scripting

=Session cookie info

• Test for stored cross-site scripting

=Sensitive info such as session authorisation tokens

• Test for DOM-based cross site scripting

=Cookie info

• Test for cross site flashing

=Info on DOM based cross site scripting vuln

• Perform SQL injection testing

=Database info

• Perform LDAP injection testing

=Sensitive info about users and hosts

Conclusion:

-Detect and analyse input vectors for potential vuln , analyse the vuln report and attempt to exploit it. use tools such as OWASP cal900, Webscarab, XSS-proxy, ratproxy, and burpsuite

-Analyse HTML code, test for stored XSS, leverage stored XSS, verify if the file upload allows setting arbitrary MIME types, using tools such as OWASP cal900, Hackvertor, XSS-proxy, backframe, webscarab, burpsuite, XSS assistant

-Perform source code analysis to identify Javacript coding errors

-Analyse SWF files using tools such as SWFintruder, Decomplier-flare, complier - MTASC, Disassembler-Flasm, SWFmill and debugger version of plash plugin/player

-Perform std SQL injection testing, union query SQL injection esting, blind sql injection testing and stored procedure injection using tools such as OWASP SQLix, SQLninja, SQL power injector

-Use a trial and error approach by inseting '(', '|', '&', '"' and other characters in other to check the app for errors, use the tool softerra LDAP browser

Data Validation Testing Continued:

• Perform ORM injection testing

=Info on SQL injection vuln

• Perform XML injection testing

=Info about XML structure

• Perform SSI injection testing

=Web Server CGI enviroment variables

• Perform Xpath Injection testing

=Access confidential info

• Perform IMAP/SMTP injection testing

=Access to backend mail server

Conclusion:

-Discover vuln of an ORM tool and test web apps that use ORM. Use tools  such as hibernate ORM, Nhibernate, and ruby on rails

-Try to insert XML metacharacters

-Find if the web server actually supports SSI directories using tools such as burp suite, OWASP ZAP, webscarab

-Inject Xpath code and interfere with the query result

-Identify vuln parameters. Understand the data flow and deployment structure of the client and perform IMAP/SMTP command injection

Data Validation Testing Continued:

• Perform code injection testing

=input validation errors

• Perform OS commanding

=Local data and system info

• Perform buffer overflow testing

=Stack and heap memory info, app control flow

• Perform incubated vuln testing

=Server config and input validation schemes

• Test for HTTP splitting/smuggling

=Cookies and HTTP redirect info

Conclusion:

-Inject code (a malicious URL) and perform source code analysis to discover code injection vuln

-Perform manual code analysis and craft malicious HTTP requests using | to test for OS command injection attacks

-perform manual and automated code analysis using tools such  ollybdg to detect buffer overflow condition

-Upload a file that exploits a component in the local user workstation, when viewed or downloaded by the user, perform XSS and SQL injection attack

-Identify all user controlled input that influences one or more headers in the response, and check wheather he or she can successfully  inject a CR+LF sequence in it

Denial of service testing:

• Test for SQL wildcard attacks

=App info

=Crafy a query that will not return a result and inclices several wildcards. Test manually or employ a fuzzer to automate the process

• Test for locking customer accounts

=Login acc info

=Test that an account does indeed lock after a certain number of failed login. Find places where the app discloses diff between valid and invalid login

• Test for buffer overflows

=Buffer overflow points

=Perform a manual source code analysis and submit a range of inputs with varying lengths to the app

• Test for user specified object allocation

=Maximum number of objects that application can handle

=Find where the number of submitted as a name/value pair might be used by the application code and attempt to set the value to an extremely large numeric value, then see if the server continues to respond

Denial of service testing continued:

• Test for user input as a loop counter

=Logical errors in an app

=Enter an extremely large number in the input field that is used by the app as a loop counter

=Use a script to automatically submit an extremely long value to the server in the request that is being logged

• Write user provided data to disk

=Local disks exhaustion

• Test for proper release of resources

=Programming flaws

=Identify and send a large number of requests that perform a database operations and observe any slowdown or new error messages

• Test for storing too much data in session

=Session management errors

=Create a script to automate the creation of many new sessions with the server and run the request that is suspected of caching the data within the session for each one

Web Services Testing:

• Start
• Gather WS info

=info of UDDI, WSDL, SOAP and UBR

• Test WSDL

=WSDL entry points

• Test XML structure

=XML parser

• Test XML content level

=info about SQL, Xpath, buffer overflow, and command injection vuln

• Test HTTP GET parameters/REST

=Http GET/REST attack vectors

• Test Naughty SOAP attachments

=SOAP message info

• Perform replay testing

=info about MITM vuln

Conclusion:

-to gather WS info use toold such as WSchess, soaplite, CURL , etc and online tools such as UDDI broswer and Xmethods

-Use tools such as WSdigger, webscarab and foundstone to automate web services security testing

-Pass malformed SOAP message to XML parser or attach a very large string to the message. Use WSdigger to perform automated XML structure testing

-Use web app vuln scanners such as webscarab to test XML content-level vuln

-Pass malicious content on the HTTP GET strings that invoke XML apps

-Craft an XML document (SOAP message) to send to a web service that contains malware as an attachment to check if XML document has SOAP attachement vuln

-attempt to resend a sniffed XML message using Wireshark and web scarab

AJAX testing:

• Start
• Testing for AJAX

=AJAX app call endpoints

• Parse the HTML and Javascript files

=XMLHttpRequest object, Javascript files, AJAX frameworks

• Use a proxy to observe traffic

= Format of app requests

Conclusion:

-Enumerate the AJAX call endpoints for the asynchronous calls using tools such as Sprajax

-Observe HTML and Javascript files to find URLs of additional app surface exposure

-Use proxies and sniffers to observe traffic generated by user-viewable pages and the background asynchronous traffic to the AJAX end points in order to determine the formate and destination of the requests

Web app pen testing framework:

• Metasploit
• Powersploit
• Browser exploitation framework (BeEF)
• Kali Linux
• WAFninja
• Dradis
• Netsparker
• skipfish
• Wfuzz