#SecurityExplained S-1: Web Testing Methodology

The below thread contains an overview of my pentesting methodology on the web application targets:

1. Initially, before starting with the engagement, I start with "Scoping" .........

(1/n)
(2/n)
where I go through the details shared by the client to understand the scope and see if the testing is feasible as per the given timeline. During this phase, I also check if the application is accessible and credentials (if required) are working properly.
(3/n)
If any of the things from "Step-1" are blocking, I reach out to the concerned person and request to unblock the blocking items.
2. Next, I start browsing the application while letting the traffic flow through Burp Suite to populate the "Target" menu.
(4/n)
...The main idea here is to understand core business logic, map out interesting functionalities and build an overall attack surface. I also take notes if required.
3. In parallel to Step-2, I also run "Recon" activities....
(5/n)
depending upon the scope size, however, some basic minimum are to run "Port Scan, Directory Fuzzing, Historical URL Scan, Nuclei, GitHub Scanning" and some other tools as required. I also perform quick OSINT to check for the information & data leakage related to my target.
(6/n)
4. Further, I start preparing a threat map that contains theoretical test cases of "What an attacker can possible do to exploit this application?".
(7/n)
For example, if an application has 3 user roles, I would check for the privilege escalation on "Three Different Levels"(Vertical) as well as privilege escalation on "Same Level" (Horizontal).
(8/n)
5. Lastly and most importantly, I start the manual penetration testing on the application. I include the test cases derived from "Step-4" in my manual testing. Now, breaking down the manual penetration testing approach a bit further:
(9/n)
a. I mainly rely upon "Burp Suite, Developer Tools and Skills" during the manual assessment.
b. I use the "Advance Scope" option in the Burp Suite to remove unnecessary noise and also help to be in the correct scope while running the "Active/Passive" Scanner.
(10/n)
c. I use "Autorize" to perform checks related to "Privilege Escalation & IDOR".
d. I check most of the "GET" endpoints that return data using an unauthenticated user to check for "Lack of Authorization Checks".
(11/n)
e. I use "Burp Match & Replace" to check for injection attacks, I define specific stings which are further replaced to the Payloads by Burp Proxy's Match & Replace rules. It makes overall testing quite easy.
(12/n)
f. I spend more time on functionalities such as "File Upload" because such functionalities themselves have a very big attack surface.
g. Similarly, I use "Burp Extensions" as per the "application".
(13/n)
For example, If the application uses "SSO" then only I enable the extensions related to "SSO" such as "SAML Raider" and others.
h. I keep logs of the testing using "Logger++". Taking logs helps a lot.
(14/n)
This is the basic testing methodology that I use while testing a web application. However, there's a lot more to cover in the "Manual Testing" that I will attempt to cover in near future through some Blog.
(n/n)
Feel free to ask if you have any questions on "How do I Test specific things", etc.

#appsec #infosec #bugbountytips #bugbounty #hacking #infosec #learn365 #securityexplained

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Harsh Bothra

Harsh Bothra Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @harshbothra_

31 Jan 21
#learn365 Day-31: Captcha Bypass Techniques

Captcha is widely adapted by the applications to avoid automated attempts on specific functionality, commonly on the Authentication forms to avoid brute-force attacks.

#bugbountytips #appsec #infosec #Pentesting

(1/n)
(2/n)
However, it is possible to bypass Captcha, and sometimes if the function is critical, it can be paid well in terms of bounties.

1. Missing Server-Sides Validation
- Some apps send Captcha Parameters on the client-side but they do not validate this on the server side.
(3/n)
- Simply, Remove the "Captcha" parameters and see if the request is processed successfully.
- If yes, you can now use this request to perform your brute-force or rate-limiting attempts.
Read 10 tweets
30 Jan 21
#learn365 Day-30: Common Business Logic Issues (Wrap)

(Cont'd...)
9. Parameter Tampering
- Tamper Payment or Critical Fields to manipulate their values
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
#bugbountytips #appsec
(1/n)
(2/n)
- Response Manipulation to bypass certain restrictions such as 2FA Bypass

10. App Implementation Logic Abuse
- If an app accepts JSON data, try changing content type to XML and see if the XML data is being processed, it can be left vulnerable to XXE or XML-based attacks.
(3/n)
- If an application is using the DELETE method to delete a resource but there is no CSRF protection, try converting the method to GET/POST and add an additional parameter like ?method=delete
Read 7 tweets
29 Jan 21
#learn365 Day-29: Common Business Logic Issues (Part - 2)

(cont'd...)
5. Premium Feature Abuse
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.

#bugbountytips #AppSec #infosec #pentest

(1/n)
(2/n)
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.
(3/n)
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
Read 8 tweets
28 Jan 21
#learn365 Common Business Logic Issues: Part-1

I'll try to cover some of the interesting business logic flaws that I usually test and have encountered so far today & in the next couple of days. Feel free to add more if you know any.
#bugbountytips #appsec #websecurity

(1/n)
(2/n)

1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
(3/n)
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.
Read 9 tweets
23 Jan 21
#learn365 Day-22: Password Reset Token Issues

1. Weak Cryptography in Password Reset Tokens
- Always check randomness in password reset tokens. It is also a good idea to check password reset tokens against known schemes.
Ref: medium.com/bugbountywrite…
#bugbountytips
(1/n)
(2/n)
2. Reusable Password Reset Tokens
- Use the token once and try to re-use it again.
- Request a new token and try if the old one is still active.
- Check how long a token stays alive. If it's >1 day and is reusable, you may report it.
(3/n)
3. IDOR (ATO)
- In the password reset link, assume there is something like this:
harshbothra.tech/reset?token=so…
- try changing the value of the user parameter to the victim and see If the attack token can be used for resetting the victim's password.
harshbothra.tech/reset?token=so…
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(