'INSANE' Web Security MindMap
Web App Fingerprint
Defaul banner
nc testinsane.com 80 HEAD / HTTP/1.1 nc testinsane.com 80 GET / HTTP/1.1
/robots.txt
Check for admin interface
Find using CMS identification
Fuzzing
Check for TRACE/TRACK method
Server fingerprint
http://w3techs.com/sites/info/testinsane.com
Auto Complete enabled or not?
Which client side language is used?
netcraft
Debug Method Allow of IIS
Info leak via stored cache
Source code check (html)
Application Entry Points
Login
Search box
Comment Section
Feedback Section
Contact us section
GET Requests & Post requests
Cookies
Find out hidden post parameters and their usage
File upload
Import Things(contacts etc..)
Session Management
Cookie
Sensitive info over cookie
Cookie with httpOnly flag
Cookie with no secure flag
Path attribute not set in session cookie
Apache HTTPOnly cookie disclosue (Specific to Apache)
Session
Session prediction
Session randomness
Session expiration mechanism legitimate?
Check if the Session ID is reissued for user critical actions
Check session cookie before and after login
if static - vulnerable
If not - Not vulnerable
Session Hijacking
Session token in URL?
Session Hijacking
Log out functionality
Does session expires
Session relay
After logout test check temp folder for cache and sensitive info stored
Strict Transporation Policy checking
Registration
Automation allowed?
File Upload
Upload 500 MB of file and measure impact
Uploading security bypass via test.txt.jpg
Upload test.aspx;.jpg / test.php;.jpg
Change extension to capital and small later in order to bypass
Captcha Bypass
Weak Password Policy
Auto-Complete enabled check
Stored XSS
Insufficient email verification process
Bypass client side validation(if any)
Check for information leak in browser history
User credentials are stored in browser memory in clear text
No SSL
Test this on wireshark
Use filter
Contain
ip.addr == ip adress of server
Then follow tcp stream and find username and password take screenshot
Authentication Testing
Username enumeration
Bypass Authentication using SQL Injection
Credentials transmission over SSL or not?
Account lockout
Check for 0Auth functionality
User credentials are stored in browser memory in clear text
Back Refresh Attack (Refer OWASP)
Error Codes
Test 404, 301 etc pages by /test.php, /test.aspx etc..
Use Input data - *&^%$#@!
Send wrong cookie value to generate error
Change value to hidden parameter to generate error
Add "[]" in all parameters
Change get req to post and post to get to generate error
Bypassing Web Firewalls to generate error
Javascript Ofuscation
([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](~Á)
Alphanumeric Characters in Javascript
Javscript Object Error state
{}+''
+[][+[]]
[][+[]]+[]
[![]]+[]
[!![]]+[]
Result
“[object Object]”
“NaN”
“undefined”
“false”
“true”
My Account
Check for CSRF
Check for CSRF token bypass
Tamper user id to change other user's account information
Impersonate other user's account
Check account deletion functionality
Forgot Password
Username enumeration
Reset token key expiration time
Check if password getting changed over SSL or not
Weak password policy testing
Predict reset token
Check bruteforcing for security answer
All Active user sessions should be destroyed when user change his password
Search
Blow your scanner here :D
Product purchase
Change product id to purchase higher valued price at lower cost
Change value of gift voucher to receive more gifts vouchers instead of 1
Add procut to other user's cart
Delete product from other user's cart
Test cases
Tamper the cartid parameter for deleting other users product
Place order behalf of other user
Give negative values in price to add money in your account + buying product
Check payment card gateway testing
Flight Railway Hotel etc Bookings
Check other user's e-ticket
Get refund behalf of other user
Get more refund by changing refund amount
Book business/high class ticket by chaning parameter value of economy class variable
Book delux room by chaning parameter value of normal room fare
Book multiple seats/rooms by changing quantity parameter value for 1 seat/room book
Multuple test cases based on application functionality
List application functionalities and test it
Input Data Validation
XSS
Reflected
Stored XSS
Cross site flashing
SQL Injection
Blind based
Boolean based
Error based
LDAP Injection
XML Injection
Remote Code Injection
XPATH Injection
OS Command Injection
X-Query Injection
SSI Injection
Code Injection
Open Redirection
Find red, redirect, origin type of parameters and change their value to www.testinsane.com. Check for application behaviour via response
Arbitrary File Download Vulnerability
../../../etc/passwd
..//..//..//..//etc/passwd
use KALI's dotdotpwn.pl tool
Host header attack
Misc
Internal files leaked
Internal IP disclosed
Clickjacking vulnerability
ASP.Net viewstate encrypted or not.
Apache Multiview Attack
Application does not display Last login time and date
Weak Etag disclosed
Server side validation is not in place
Sensitive Information gets stored in History
Oracle Padding attack ASPX
Downloadable objects
Find metadata within object see if potential information is disclosed or not
Comment
Cross site scripting
Comment behalf of other users
CAPTCHA Testing
Identify parameters which are used to send CAPTCHA
Captcha Replay attack
Remove captcha parameter and send request to server
Check whether the logic f or generating CAPTCHAs is there in a .js file itself?
Captcha should not disclose absolute path
Remove captcha element with firebug and send it
Yes - No server side validation - Vulnerable
No t - Server side validation - Not Vulnerable
Check with free-ocr tool
Insert captcha check resposne if captcha value is false chaneg to true and forward resposne
Automated Testing
Netsparker
Burp Scan
Contact Us / Complaining/Feedback
Send messege as other user (Applicable inside authentication)
Captcha testing
Captcha bypass
Bruteforce