LaMeH@CkeR

1. Map Web Application

1.a Explore all visible content (e.g. all linked content)

By saying all visible content I mean all content that has links inside the targeted website using a web
crawler. A web crawler (also known as a web spider, web robot, or?€”especially in the FOAF community?€”web scutter[1]) is a program or automated script which browses the World Wide Web in a
methodical, automated manner.

Suggested programs:

a. Burp Spider: Burp Spider enables you to obtain a detailed understanding of how a web
application works, avoiding the time-consuming and unreliable task of manually following links, submitting forms and scouring HTML source code.

URL: http://portswigger.net/spider/

b. WebScarab Spider:WebScarab is a Web Application Review tool. It sprang from the designs of the
people inhabiting the WebAppSec list run from SourceForge, for a powerful, free, open tool for reviewing web applications for security vulnerabilities.

URL:http://dawes.za.net/rogan/webscarab/

1.b Explore all none visible content

By saying none linked content I mean all all default, dynamic and none linked content. How? Simple using
the most privileged account to login and the using a crawler and of course Wikto back end and other search engines.

Suggested programs/methods:

a. Wikto back-end: The Back-End miner section in Wikto is used to find interesting files and
directories on a web server. It is using the default database from Nitko to be updated.

URL: http://www.sensepost.com/research/wikto/

b. Google:The keywords filetype, inurl, site, relevant and other keywords can be used to extract
cached and none cached information about the targeted website.

2. Identify functionality and technologies used

2.a Identify core functionality:

a. Login functions (e.g. Are concurrentlogins allowed? Is there a lockout mechanism?).

b. Logout functions (e.g. Is propersession termination is done?).

c. User registration mechanism.

d. Password recovery mechanism (e.g. does it allow user enumeration?).

e. Major Web Application functionality.

2.b Identify platforms

Platform used:

a. Programming language used.

b. Web Application platform used.

c. Web Server used.

Programs suggested:

HttpPrint: HttPrint is a web server fingerprinting tool. It relies on web server characteristics
to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask.

URL: http://www.net-square.com/httprint/

3. Define Web Application Attack Surface

Associate core functionality and web application content with known vulnerabilities, e.g. file uploading
with path traversal.

4. Test Client Side Functionality

4.a Make sure that no security mechanisms exist in the client side (e.g. client side cookie
manipulation, client side session management, client side input validation).

4.b Test data transmission (e.g. make sure secure flag and httpOnly flag are enabled).

4.c Verify no critical variables are passed through hidden fields, if any, and make sure the application
is not vulnerable to repudiation attacks (e.g. replay old client request to bypass access control mechanisms).

4.d Verify that no comments exits in the content returned back to the client that reveal the internals of
the web application (e.g. Javascript and Html comments).

4.e Test thick client components (e.g. decompile Java Applets returned back from the web application).

Programs suggested:

Firebug: Integrates with Firefox to put a wealth of development tools at your fingertips while you
browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

URL:https://addons.mozilla.org/en-US/firefox/addon/1843

5. Test Authentication Mechanisms

5.aGo through the whole authentication mechanism (e.g. locate login mechanism, password recovery mechanism, registration process etc.)

5.b Test password and username security policies (e.g. validate and try to bypass the default password
complexity and then make sure that the each user name is unique and is associated with only one password).

5.c Test lock out mechanism (e.g. Does the web application have a lockout mechanism and how effective is?)

5.d Run a brute force attack and a dictionary attack against the web application, then log the errors
returned from the web application and make sure there is no information disclosure issue.

5.d Try to perform user enumeration using the responses from the server (e.g. try login using many
different valid usernames with invalid password and analyse the error messages).

5.e Test for auto generated credentials predictability (e.g. if usernames and passwords are generated from
the web application, generate a large amount for usernames and passwords to see how predictable are).

5.f Test for unsafe credential transmission (e.g. There is no SSL enforcement, secure and httpOnly flags are not set and hidden fields are used to pass user credentials or critical variables). Verify that no user credentials are passed to the cookie (e.g. XSS attacks), the referrer header (e.g. session fixation attacks) when third party links are allowed inside the web application or the url query string (e.g. web server logs and and internet browsers will save user credentials into the history).

6. Test Session Management Mechanism

Understand what a session is composed from(e.g. Variables in hidden fields, cookies, URL identifiers e.t.c). Understand meaning of session and try to reproduce valid sessions using various user credentials. Test session generation and session termination. Test for session fixation (e.g. try to produce valid sessions, try to replay a request using an old session or replay a request using a from the targeted web application a session ( captured before a successful login) trying to retrieve authenticated pages, after the user has logged in. Try to perform CSRF.

Programs suggested:

Stompy: Stompy is a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms. Session IDs are commonly used to track authenticated users, and as such, whenever they’re predictable or simply vulnerable to brute-force attacks, we do have a problem.

URL:http://www.securiteam.com/tools/5VP0O2AKAG.html

7. Test Access Control

Look for broken links (e.g. access variables with high user account privileges simply by guessing URL ID’s).

8. Test Input Based Vulnerabilities

Test for:

a. SQL injections

b. XSS attacks

c. XSRF attacks

d. Path traversal attacks

e. Perform fuzzing

10. Test for Web Server Vulnerabilities

Check Http header injection, server banner advertisement, enabled Http methods and supported protocols
that run over Http (e.g. WebDev). Also check Web Server default content and configuration.

Nikto: Is an Open Source (GPL)web server scanner which performs comprehensive tests against web
servers for multiple items, including over 3500 potentially dangerousfiles/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

URL:http://www.cirt.net/nikto2

Reference [1]:
http://en.wikipedia.org/wiki/Web_crawler