Tweet

Harsh Bothra

1 Jan, 15 tweets, 4 min read

#SecurityExplained S-1: Web Testing Methodology

The below thread contains an overview of my pentesting methodology on the web application targets:

1. Initially, before starting with the engagement, I start with "Scoping" .........

(1/n)

(2/n)
where I go through the details shared by the client to understand the scope and see if the testing is feasible as per the given timeline. During this phase, I also check if the application is accessible and credentials (if required) are working properly.

(3/n)
If any of the things from "Step-1" are blocking, I reach out to the concerned person and request to unblock the blocking items.
2. Next, I start browsing the application while letting the traffic flow through Burp Suite to populate the "Target" menu.

(4/n)
...The main idea here is to understand core business logic, map out interesting functionalities and build an overall attack surface. I also take notes if required.
3. In parallel to Step-2, I also run "Recon" activities....

(5/n)
depending upon the scope size, however, some basic minimum are to run "Port Scan, Directory Fuzzing, Historical URL Scan, Nuclei, GitHub Scanning" and some other tools as required. I also perform quick OSINT to check for the information & data leakage related to my target.

(6/n)
4. Further, I start preparing a threat map that contains theoretical test cases of "What an attacker can possible do to exploit this application?".

(7/n)
For example, if an application has 3 user roles, I would check for the privilege escalation on "Three Different Levels"(Vertical) as well as privilege escalation on "Same Level" (Horizontal).

(8/n)
5. Lastly and most importantly, I start the manual penetration testing on the application. I include the test cases derived from "Step-4" in my manual testing. Now, breaking down the manual penetration testing approach a bit further:

(9/n)
a. I mainly rely upon "Burp Suite, Developer Tools and Skills" during the manual assessment.
b. I use the "Advance Scope" option in the Burp Suite to remove unnecessary noise and also help to be in the correct scope while running the "Active/Passive" Scanner.

(10/n)
c. I use "Autorize" to perform checks related to "Privilege Escalation & IDOR".
d. I check most of the "GET" endpoints that return data using an unauthenticated user to check for "Lack of Authorization Checks".

(11/n)
e. I use "Burp Match & Replace" to check for injection attacks, I define specific stings which are further replaced to the Payloads by Burp Proxy's Match & Replace rules. It makes overall testing quite easy.

(12/n)
f. I spend more time on functionalities such as "File Upload" because such functionalities themselves have a very big attack surface.
g. Similarly, I use "Burp Extensions" as per the "application".

(13/n)
For example, If the application uses "SSO" then only I enable the extensions related to "SSO" such as "SAML Raider" and others.
h. I keep logs of the testing using "Logger++". Taking logs helps a lot.

(14/n)
This is the basic testing methodology that I use while testing a web application. However, there's a lot more to cover in the "Manual Testing" that I will attempt to cover in near future through some Blog.

(n/n)
Feel free to ask if you have any questions on "How do I Test specific things", etc.

#appsec #infosec #bugbountytips #bugbounty #hacking #infosec #learn365 #securityexplained

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @harshbothra_

Harsh Bothra

@harshbothra_

31 Jan 21

#learn365 Day-31: Captcha Bypass Techniques

Captcha is widely adapted by the applications to avoid automated attempts on specific functionality, commonly on the Authentication forms to avoid brute-force attacks.

#bugbountytips #appsec #infosec #Pentesting

(1/n)

(2/n)
However, it is possible to bypass Captcha, and sometimes if the function is critical, it can be paid well in terms of bounties.

1. Missing Server-Sides Validation
- Some apps send Captcha Parameters on the client-side but they do not validate this on the server side.

(3/n)
- Simply, Remove the "Captcha" parameters and see if the request is processed successfully.
- If yes, you can now use this request to perform your brute-force or rate-limiting attempts.

Read 10 tweets

Harsh Bothra

@harshbothra_

30 Jan 21

#learn365 Day-30: Common Business Logic Issues (Wrap)

(Cont'd...)
9. Parameter Tampering
- Tamper Payment or Critical Fields to manipulate their values
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
#bugbountytips #appsec
(1/n)

(2/n)
- Response Manipulation to bypass certain restrictions such as 2FA Bypass

10. App Implementation Logic Abuse
- If an app accepts JSON data, try changing content type to XML and see if the XML data is being processed, it can be left vulnerable to XXE or XML-based attacks.

(3/n)
- If an application is using the DELETE method to delete a resource but there is no CSRF protection, try converting the method to GET/POST and add an additional parameter like ?method=delete

Read 7 tweets

Harsh Bothra

@harshbothra_

29 Jan 21

#learn365 Day-29: Common Business Logic Issues (Part - 2)

(cont'd...)
5. Premium Feature Abuse
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.

#bugbountytips #AppSec #infosec #pentest

(1/n)

(2/n)
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.

(3/n)
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.

Read 8 tweets

Harsh Bothra

@harshbothra_

28 Jan 21

#learn365 Common Business Logic Issues: Part-1

I'll try to cover some of the interesting business logic flaws that I usually test and have encountered so far today & in the next couple of days. Feel free to add more if you know any.
#bugbountytips #appsec #websecurity

(1/n)

(2/n)

1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.

(3/n)
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.

Read 9 tweets

Harsh Bothra

@harshbothra_

23 Jan 21

#learn365 Day-22: Password Reset Token Issues

1. Weak Cryptography in Password Reset Tokens
- Always check randomness in password reset tokens. It is also a good idea to check password reset tokens against known schemes.
Ref: medium.com/bugbountywrite…
#bugbountytips
(1/n)

(2/n)
2. Reusable Password Reset Tokens
- Use the token once and try to re-use it again.
- Request a new token and try if the old one is still active.
- Check how long a token stays alive. If it's >1 day and is reusable, you may report it.

(3/n)
3. IDOR (ATO)
- In the password reset link, assume there is something like this:
harshbothra.tech/reset?token=so…
- try changing the value of the user parameter to the victim and see If the attack token can be used for resetting the victim's password.
harshbothra.tech/reset?token=so…

Read 8 tweets

Harsh Bothra

@harshbothra_

22 Jan 21

#learn365 Day-22: GraphQL Part - 3 WrapUp

Pentesting GraphQL may look hard if you are not familiar but there is still a lot to explore and exploit once you understand how it works. Today, It's all about continue reading and some good resources.

#bugbountytips #appsec

(1/n)