General Approach for Web Application Security
In penetration testing, content discovery entails identifying sensitive or valuable information within a target system or network, such as user credentials, configuration files, or proprietary data. This process is part of a general approach for web application security, aiming to uncover and address potential vulnerabilities and data exposures.
Steps
1. Subdomain & Domain Enumeration
Goal: Expand the attack surface by identifying all possible subdomains and related domains.
- Tools & Techniques:
- Automated Enumeration:
- AMASS: Brute-force and scraping for subdomains.
- CRT.sh: Use Certificate Transparency logs to uncover subdomains.
- FOFA & Google Dorking: Utilize search engines to discover subdomains and related domains.
- Subdomainizer: Scan JavaScript files for additional subdomains.
- Gdorklinks.sh: Search for GitHub repos and documentation that might reference subdomains.
- Focus Areas:
- Finding Subdomains: Grow the scope of your target
- Subdomain Takeover: Identify potential subdomain takeover opportunities.
- Automated Enumeration:
2. Exploration & Discovery
Goal: Explore identified domains and subdomains to uncover hidden content, paths, and endpoints.
- Manual Exploration:
- Burp Suite: Manually browse and explore to identify unique functionality or hidden paths.
- Wayback Machine: Manually review historical versions of sites for sensitive information.
- Automated Discovery:
- Burp Suite Scans: Leverage custom templates and extensions (Active Scan++, Burp Bounty) for thorough scanning (Search for endpoints).
- WaybackRobots.py & WaybackURLS.py: Automate the retrieval of historical
robots.txt
files and associated URLs.
- Focus Areas:
- Explore the scope, Find Hidden Folders/files, legacy code, comments...
3. JavaScript & API Analysis
Goal: Extract valuable information from JavaScript files and API endpoints.
- Tasks:
- JavaScript File Analysis:
- Extract hidden endpoints, paths, and references from JS files.
- Subdomainizer for additional JS file scanning.
- API Documentation Review:
- Identify potential security issues in API documentation.
- Utilize Gdorklinks.sh to search for exposed API documentation and search for GitHub repositories (Github Dorking).
- JavaScript File Analysis:
4. Content Discovery & FUZZing
Goal: Identify hidden directories, files, and endpoints within the target domain.
- Tools & Techniques:
- Content Discovery:
- Gobuster or FUFF: Brute-force directory and file discovery.
- Burp Suite Content Discovery & File Extension Tools: Locate important files and directories.
- Endpoint FUZZing:
- Param Miner (Burp): Identify hidden parameters and fuzz for GET/POST parameters.
- Custom FUZZing: Explore combinations of parameters (e.g.,
/something/?GET=SECOND-PARAM=ELEMENTID
).
- Focus Areas:
- Uncovering hidden endpoints, parameters, and directories.
- Identifying unlinked parameters like GET, POST, Cookies, and Headers.
- Content Discovery:
5. Documentation Review & Historical Analysis
Goal: Leverage publicly available documentation and historical data to uncover vulnerabilities.
- Tasks:
- Documentation Review:
- Search for GitHub repositories, API documentation, and other technical docs.
- Historical Analysis:
- Use Wayback Machine and WaybackRobots.py to identify historical data that could reveal sensitive information or vulnerabilities.
- Documentation Review:
6. Comprehensive Scanning & Testing
Goal: Perform in-depth scans and manual testing on all collected endpoints.
- Tools & Techniques:
- Burp Suite:
- Run authenticated scans across all endpoints.
- Perform passive and active scans, manual testing, as well as specialized scans (CORS, HTTP Smuggling, DOM XSS, CRLF, Double header injection, Parameter pollution, Web cache issue, ...).
- Review alerts made by scanning tools (extension, logger++, template, burp bounty, default)
- Nuclei:
- Run template-based scans on all URLs to identify vulnerabilities.
- Burp Suite:
Security Risks to investigate in web application
Type Security Risks
In some cases, it can be more efficient to focus on understanding a specific security issue and how it might apply to your target rather than approaching the task in a linear fashion, such as fuzzing or testing each endpoint individually. By analyzing the unique characteristics and architecture of the target, you might uncover vulnerabilities that are more context-specific or deeply embedded, which could be missed through a broad, automated approach.
- Authentication Testing
- Weak or default credentials
- Brute-force attacks
- Credential stuffing
- Authentication bypass techniques
- Multi-factor authentication (MFA) bypass
- Email Atom
- Race Condition
- Authorization Testing
- Privilege escalation (vertical and horizontal)
- Insecure direct object references (IDOR)
- Role-based access control (RBAC) bypass
- Insecure access control lists (ACLs)
- Email Atom
- Race Condition
- Data Validation and Sanitization
- SQL injection
- Cross-site scripting (XSS)
- DOM XSS (https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling (opens in a new tab))
- Command injection
- File inclusion vulnerabilities
- LDAP injection
- Request Smuggling
- Error Handling and Information Leakage
- Error-based SQL injection
- Stack trace disclosure
- Detailed error messages
- Source code disclosure
- Server configuration information leakage
- Functionality Testing
- Race Condition
- ...
- API Testing
- Insecure API endpoints
- Accept other type of format (Json --> XML, ...)
- Lack of authentication or authorization
- Improper input validation
- Rate limiting bypass
- API key exposure
- Session Management
- Session fixation
- Session hijacking
- Session timeout issues
- Insufficient session ID entropy
- Cross-site request forgery (CSRF)
- Security Headers
- Content Security Policy (CSP)
- Client-Side Security
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Insecure deserialization
- Client-side injection attacks
- JavaScript library vulnerabilities
- Client-Side Security
- HTTP Strict Transport Security (HSTS)
- Cross-Origin Resource Sharing (CORS)
- X-Content-Type-Options
- X-XSS-Protection
- X-Frame-Options (Click Jacking)
- Content Security Policy (CSP)
- Mobile Application Testing
- Insecure data storage
- Insecure communication channels
- Improper session management
- Root detection and jailbreak detection bypass
- Runtime manipulation vulnerabilities
In-depth understanding of concepts
Fuzzing
The goal of fuzzing is to identify and address software bugs by bombarding it with unexpected or random inputs to uncover vulnerabilities and weaknesses, and it also includes manual testing to complement automated input generation.
-
Fuzzing Endpoint
Objective: Explore various endpoints to identify potential vulnerabilities by injecting specific payloads.
- Techniques:
- NULLBYTE Insertion: Test by inserting null bytes before, in the middle, and after inputs. This can reveal improper handling of null characters, leading to bypasses or crashes.
- Single Character Injection: Inject a single character (e.g.,
/
,\
,#
) in different positions to test for unintended behavior, especially in URL parsing. - Path Traversal: Test for directory traversal vulnerabilities by manipulating file paths. This could allow access to sensitive files outside the web root.
- Collaborator Insertion: Inject Collaborator payloads to detect interactions with external services, helping to uncover SSRF or blind XSS vulnerabilities.
- Common Vulnerabilities: Check for typical vulnerabilities like XSS, SSRF, SQL injection, and command injection. Always consider the context of the application when crafting payloads.
- JSON Injection: Manipulate JSON inputs to uncover potential flaws, such as insecure deserialization or injection attacks.
- Tools:
- Burp Suite Repeater: Used for manual testing and sending crafted requests to endpoints.
- Additional Considerations:
- Rate Limiting Bypass: Combine fuzzing with techniques to bypass rate limiting, such as rotating IPs or manipulating headers.
- Authentication Bypass: Test endpoints for weaknesses that could allow bypassing authentication, especially when different endpoints handle authentication differently.
- Techniques:
-
Fuzzing Parameters
Objective: Identify vulnerabilities in request parameters by manipulating and testing different formats.
- Parameter Exploration:
- GET Parameters: Test all GET request parameters for weaknesses, including reflected XSS and open redirects.
- POST Parameters: Manipulate POST parameters to explore vulnerabilities like SQL injection or insecure direct object references (IDOR).
- Testing Techniques:
- Format Changes: Convert parameters between formats (e.g., normal POST to XML, JSON to XML) and observe behavior. Pay attention to how different formats are parsed and processed.
- Example: Convert
?id=%26entity;
to other formats.
- Example: Convert
- Error Triggering: Use hexadecimal, ASCII, or other encoded inputs to trigger errors, revealing underlying application logic. Consider using fuzzing libraries like Radamsa for generating diverse inputs.
- Parameter Insertion: Introduce new parameters found on other pages into current requests to test for overlooked vulnerabilities. Cross-test parameters between different features of the application.
- Parameter Pollution: Submit the same parameter multiple times with different values to check for improper handling. This can lead to unexpected behavior or security issues like cache poisoning.
- Format Changes: Convert parameters between formats (e.g., normal POST to XML, JSON to XML) and observe behavior. Pay attention to how different formats are parsed and processed.
- Additional Considerations:
- Content-Type Manipulation: Change the Content-Type header to unexpected values (e.g.,
application/xml
instead ofapplication/json
) to see how the application handles different data types. - Uncommon Methods: Test parameters with uncommon HTTP methods (e.g., PUT, DELETE) to explore less tested parts of the application.
- Content-Type Manipulation: Change the Content-Type header to unexpected values (e.g.,
- Parameter Exploration:
-
Fuzzing Headers
Objective: Test HTTP headers to identify security issues related to input handling and request manipulation.
- Techniques:
- Header Exploration: Use Burp Suite's Param Miner to fuzz POST request headers. This helps uncover hidden parameters or headers that the application may rely on.
- IP Header Manipulation: Test headers like
X-Forwarded-For
,X-Originating-IP
,X-Remote-IP
, andX-Remote-Addr
for bypassing IP-based rate limits or other protections. This is particularly useful in bypassing WAFs or access controls. - Special Characters Injection: Inject various special characters (
! " # $ % & ' ( ) * + ...
) into headers to test for improper handling. This can expose vulnerabilities like CRLF injection or header injection. - Path Manipulation: Use techniques like
GET @path-123/
orexample.com@path-123
to explore potential issues with HTTP 1.1. This can be useful in testing for SSRF or open redirect vulnerabilities.
- Additional Considerations:
- Cache Poisoning: Use header manipulation to explore cache poisoning attacks, which can alter cached content and affect other users.
- CORS Exploitation: Test for misconfigured CORS policies by manipulating headers like
Origin
andReferer
.
- Techniques:
-
Fuzzing Cookies
Objective: Test cookie handling mechanisms for injection vulnerabilities.
-
Looking For:
- 500 Errors: Errors indicating server-side issues, which can reveal valuable debugging information or potential weaknesses. These errors often indicate improper input handling or backend issues.
- Cookie Manipulation: Inject various payloads into cookies to test for improper handling and potential injection vulnerabilities. Focus on testing for issues like XSS, session fixation, or SQL injection within cookies.
- Cookie Attributes: Examine the security attributes of cookies (e.g.,
HttpOnly
,Secure
,SameSite
) and test for weaknesses in their enforcement.
-
Additional Considerations:
- Session Hijacking: Test for vulnerabilities that could allow session hijacking, such as predictable session tokens or insufficiently protected cookies.
- Cross-Site Request Forgery (CSRF): Check if cookies are being improperly handled in the context of CSRF attacks, especially in conjunction with weak anti-CSRF measures.
-