Web Application Pentesting.pdf

(13667 KB) Pobierz
[WEB
APPLICATION PENETRATION TESTING]
March 1, 2018
Contents
Information Gathering .................................................................................................................................. 4
1.
2.
3.
4.
5.
6.
7.
8.
Conduct Search Engine Discovery and Reconnaissance for Information Leakage .......................... 4
Fingerprint Web Server..................................................................................................................... 5
Review Webserver Metafiles for Information Leakage .................................................................... 7
Enumerate Applications on Webserver............................................................................................. 8
Review Webpage Comments and Metadata for Information Leakage ........................................... 11
Identify Application Entry Points ................................................................................................... 11
Map execution paths through application ....................................................................................... 13
Fingerprint Web Application & Web Application Framework ...................................................... 14
Configuration and Deployment Management Testing ................................................................................ 18
1.
2.
3.
4.
5.
6.
7.
8.
Test Network/Infrastructure Configuration..................................................................................... 18
Test Application Platform Configuration........................................................................................ 23
Test File Extensions Handling for Sensitive Information ............................................................... 29
Review Old, Backup and Unreferenced Files for Sensitive Information ........................................ 32
Enumerate Infrastructure and Application Admin Interfaces ......................................................... 34
Test HTTP Methods ........................................................................................................................ 39
Test HTTP Strict Transport Security .............................................................................................. 41
Test RIA cross domain policy ......................................................................................................... 43
Identity Management Testing ..................................................................................................................... 45
1.
2.
3.
4.
Test Role Definition ........................................................................................................................ 45
Test User Registration Process ....................................................................................................... 47
Test Account Provisioning Process................................................................................................. 49
Testing for Account Enumeration and Guessable User Account.................................................... 51
1
[WEB
APPLICATION PENETRATION TESTING]
March 1, 2018
Authentication Testing ................................................................................................................................ 56
1.
2.
3.
4.
5.
6.
7.
8.
9.
Testing for Credentials Transported over an Encrypted Channel ................................................... 56
Testing for default credentials......................................................................................................... 59
Testing for Weak lock out mechanism ........................................................................................... 62
Testing for bypassing authentication schema ................................................................................. 68
Test remember password functionality ........................................................................................... 73
Testing for Browser cache weakness .............................................................................................. 75
Testing for Weak password policy.................................................................................................. 80
Testing for weak security Question/Answer ................................................................................... 85
Testing for weak password change or reset function ...................................................................... 86
Authorization Testing ................................................................................................................................. 86
1.
2.
3.
Testing Directory traversal / file include ........................................................................................ 86
Testing for Privilege Escalation ...................................................................................................... 87
Testing for Insecure Direct Object References ............................................................................... 90
Session Management Testing ..................................................................................................................... 94
1.
2.
3.
4.
5.
6.
7.
Testing for Bypassing Session Management Schema ..................................................................... 94
Testing for Cookies attributes ......................................................................................................... 96
Testing for Session Fixation ........................................................................................................... 98
Testing for Exposed Session Variables ......................................................................................... 100
Testing for Cross Site Request Forgery (CSRF) ........................................................................... 101
Testing for logout functionality .................................................................................................... 104
Test Session Timeout .................................................................................................................... 106
Input Validation Testing ........................................................................................................................... 108
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Testing for Reflected Cross Site Scripting .................................................................................... 108
Testing for Stored Cross Site Scripting......................................................................................... 113
Testing for HTTP Verb Tampering .............................................................................................. 117
Testing for HTTP Parameter pollution ......................................................................................... 117
Testing for SQL Injection ............................................................................................................. 121
Testing for LDAP Injection .......................................................................................................... 134
Testing for XML Injection ............................................................................................................ 136
Testing for XPath Injection ........................................................................................................... 139
Testing for Code Injection ............................................................................................................ 140
Testing for Command Injection ................................................................................................ 142
2
[WEB
APPLICATION PENETRATION TESTING]
March 1, 2018
Testing for Error Handling........................................................................................................................ 143
1.
2.
Analysis of Error Codes ................................................................................................................ 143
Analysis of Stack Traces ............................................................................................................... 146
Testing for weak Cryptography ................................................................................................................ 147
1.
2.
SSL/TLS Testing .......................................................................................................................... 147
Testing for Padding Oracle ........................................................................................................... 153
Business Testing Logic ............................................................................................................................. 157
1.
2.
3.
4.
5.
6.
7.
Test Business Logic Data Validation ............................................................................................ 157
Test Ability to Forge Requests...................................................................................................... 159
Test Integrity Checks .................................................................................................................... 159
Test for Process Timing ................................................................................................................ 162
Test Defense Against Application Misuse .................................................................................... 162
Test Upload of Unexpected File Types......................................................................................... 162
Test Upload of Malicious Files ..................................................................................................... 170
Client Side Testing.................................................................................................................................... 172
1.
2.
3.
4.
Testing for Client Side URL Redirect........................................................................................... 172
Testing for Clickjacking................................................................................................................ 175
Test Cross Origin Resource Sharing ............................................................................................. 177
Testing for Spoofable Client IP address ....................................................................................... 177
3
[WEB
APPLICATION PENETRATION TESTING]
March 1, 2018
Information Gathering
1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage
Google hacking technique
Evident:
With: testphp.vulnweb.com
I have try google hack with search field parameter as: “site: testphp.vulnweb.com”
After this, I got basic crawling result below:
I used some query to discovering more interested information :
4
[WEB
APPLICATION PENETRATION TESTING]
March 1, 2018
References:
http://www.mrjoeyjohnson.com/Google.Hacking.Filters.pdf
2. Fingerprint Web Server
Web server fingerprinting is a critical task for the Penetration tester. Knowing the version and type of a
running web server allows testers to determine known vulnerabilities and the appropriate exploits to use
during testing.
Black box test:
The simplest and most basic form of identify a web server is look at the server field in the HTTP response
header with netcat
Example:
nc google.com 80
GET / HTTP/1.1
Host: google.com
enter
enter
5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin