'INSANE' Web Security MindMap

Web App Fingerprint

 Defaul banner

  nc testinsane.com 80 HEAD / HTTP/1.1 nc testinsane.com 80 GET / HTTP/1.1

 /robots.txt

 Check for admin interface

  Find using CMS identification

  Fuzzing

 Check for TRACE/TRACK method

 Server fingerprint

  http://w3techs.com/sites/info/testinsane.com

 Auto Complete enabled or not?

 Which client side language is used?

  netcraft

 Debug Method Allow of IIS

 Info leak via stored cache

 Source code check (html)

Application Entry Points

 Login

 Search box

 Comment Section

 Feedback Section

 Contact us section

 GET Requests & Post requests

 Cookies

 Find out hidden post parameters and their usage

 File upload

 Import Things(contacts etc..)

Session Management

 Cookie

  Sensitive info over cookie

  Cookie with httpOnly flag

  Cookie with no secure flag

  Path attribute not set in session cookie

  Apache HTTPOnly cookie disclosue (Specific to Apache)

 Session

  Session prediction

  Session randomness

  Session expiration mechanism legitimate?

  Check if the Session ID is reissued for user critical actions

  Check session cookie before and after login

   if static - vulnerable

   If not - Not vulnerable

  Session Hijacking

  Session token in URL?

  Session Hijacking

 Log out functionality

  Does session expires

  Session relay

  After logout test check temp folder for cache and sensitive info stored

 Strict Transporation Policy checking

Registration

 Automation allowed?

 File Upload

  Upload 500 MB of file and measure impact

  Uploading security bypass via test.txt.jpg

  Upload test.aspx;.jpg / test.php;.jpg

  Change extension to capital and small later in order to bypass

 Captcha Bypass

 Weak Password Policy

 Auto-Complete enabled check

 Stored XSS

 Insufficient email verification process

 Bypass client side validation(if any)

 Check for information leak in browser history

 User credentials are stored in browser memory in clear text

 No SSL

  Test this on wireshark

   Use filter

    Contain

    ip.addr == ip adress of server

     Then follow tcp stream and find username and password take screenshot

Authentication Testing

 Username enumeration

 Bypass Authentication using SQL Injection

 Credentials transmission over SSL or not?

 Account lockout

 Check for 0Auth functionality

 User credentials are stored in browser memory in clear text

 Back Refresh Attack (Refer OWASP)

Error Codes

 Test 404, 301 etc pages by /test.php, /test.aspx etc..

 Use Input data - *&^%$#@!

 Send wrong cookie value to generate error

 Change value to hidden parameter to generate error

 Add "[]" in all parameters

 Change get req to post and post to get to generate error

 Bypassing Web Firewalls to generate error

  Javascript Ofuscation

   ([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](­~Á)

  Alphanumeric  Characters in Javascript

   Javscript Object Error state

    {}+''

    +[][+[]]

    [][+[]]+[]

    [![]]+[]

    [!![]]+[]

   Result

    “[object Object]”

    “NaN”

    “undefined”

    “false”

    “true”

My Account

 Check for CSRF

 Check for CSRF token bypass

 Tamper user id to change other user's account information

 Impersonate other user's account

 Check account deletion functionality

Forgot Password

 Username enumeration

 Reset token key expiration time

 Check if password getting changed over SSL or not

 Weak password policy testing

 Predict reset token

 Check bruteforcing for security answer

 All Active user sessions should be destroyed when user change his password

Search

 Blow your scanner here :D

Product purchase

 Change product id to purchase higher valued price at lower cost

 Change value of gift voucher to receive more gifts vouchers instead of 1

 Add procut to other user's cart

 Delete product from other user's cart

  Test cases

   Tamper the cartid parameter for deleting other users product

 Place order behalf of other user

 Give negative values in price to add money in your account + buying product

 Check payment card gateway testing

Flight Railway Hotel etc Bookings

 Check other user's e-ticket

 Get refund behalf of other user

 Get more refund by changing refund amount

 Book business/high class ticket by chaning parameter value of economy class variable

 Book delux room by chaning parameter value of normal room fare

 Book multiple seats/rooms by changing quantity parameter value for 1 seat/room book

 Multuple test cases based on application functionality

  List application functionalities and test it

Input Data Validation

 XSS

  Reflected

  Stored XSS

  Cross site flashing

 SQL Injection

  Blind based

  Boolean based

  Error based

 LDAP Injection

 XML Injection

 Remote Code Injection

 XPATH Injection

 OS Command Injection

 X-Query Injection

 SSI Injection

 Code Injection

 Open Redirection

  Find red, redirect, origin type of parameters and change their value to www.testinsane.com. Check for application behaviour via response

 Arbitrary File Download Vulnerability

  ../../../etc/passwd

  ..//..//..//..//etc/passwd

  use KALI's dotdotpwn.pl tool

 Host header attack

Misc

 Internal files leaked

 Internal IP disclosed

 Clickjacking vulnerability

 ASP.Net viewstate encrypted or not.

 Apache Multiview Attack

 Application does not display Last login time and date

 Weak Etag disclosed

 Server side validation is not in place

 Sensitive Information gets stored in History

 Oracle Padding attack ASPX

 Downloadable objects

  Find metadata within object see if potential information is disclosed or not

 Comment

  Cross site scripting

  Comment behalf of other users

 CAPTCHA Testing

  Identify parameters which are used to send CAPTCHA

  Captcha Replay attack

  Remove captcha parameter and send request to server

  Check whether the logic f or generating CAPTCHAs is there in a .js file itself?

  Captcha should not disclose absolute path

  Remove captcha element with firebug and send it

   Yes - No server side validation - Vulnerable

   No t - Server side validation - Not Vulnerable

  Check with free-ocr tool

  Insert captcha check resposne if captcha value is false chaneg to true and forward resposne

Automated Testing

 Netsparker

 Burp Scan

Contact Us / Complaining/Feedback

 Send messege as other user (Applicable inside authentication)

 Captcha testing

 Captcha bypass

 Bruteforce