Web Application PenTesting Part 1 (Methodology)
Hello Guys, Ninad here I hope you are doing good, so today’s topic is How to start with web application pen-testing. I would be dividing this Web Application Pentesting into 3 parts,
Part 1) Methodology.
Part 2) Client-side attacks.
Part 3) Server-side attacks.
In Part 1 Methodology, I would be Sharing my knowledge with you about How to start with Web Application pen-testing?
In Part 2 Client-side attacks, I would go in detail for client-side attacks like How to attack? How to mitigate? What are the client side attacks?
In Part 3 Server-side attacks, I would go in detail for Server-side attacks like How to attack? How to mitigate? What are the client side attacks? What is the attack scenario’s ..etc.
So Generally, What is Pen-testing?
As of me,
It’s a practice implemented to mitigate security threats in any domain
Here we are going to discuss Web Application Pen-testing, There’s one point which I would like to make it clear that web application pen-testing is totally different than bug bounties. So Don’t get confused with it.
How to Start Web Application Pen-testing?
There are some security testing standards In web application pen-testing which you would like to follow Such as
1) OWASP (Open Web Application Security Project)
2) SANS (Sysadmin, Audit, Network And Security )
3) OSSTMM ( Open source SecurityTesting Methodology Manual)
4) ISSAF ( Information Systems Security Assesment Framework)
If you would ask me How to?
I would start with basic’s, one should have basic knowledge of how a web application works, some programming knowledge like HTML, CSS Javascript, PHP, MYSQL..etc.
basically, if you have the above then you are good to start web application pen-testing. After this, you Should get know how a web application works its workflow, like what is HTTP? https? …etc.
How would you go for it? let divide the web application pen-testing into two parts
1) Client side pen-testing
2) Server-side pen-testing
Client-side pen testing:
Client-side attacks are quite different. These are attacks that target vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. If a client does not interact with a server, it is not at risk, because it doesn’t process any potentially harmful data sent from the server. Client-side pen-testing may consist of vulnerabilities which often takes the form of unpatched software on a desktop or laptop. Depending on the nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Some targets include Web Browser’s, Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.
Some of the client side attacks might be like XSS, redirects, Phishing, Clickjacking, IDOR ..etc
Server-side Pen-Testing:
Server-side attacks seek to compromise and breach the data and applications that are present on a server.
Server-side attack target web server for downloading or viewing files like scripts, web shells, configuration files without proper authorization. Most of the time server-side attacks don’t require user interaction. These attacks can be used with web servers. We can also use them against a normal computer that people use every day. Some of the server side attacks are like RCE, Shell Uploading, RFI..etc.
In client-side attacks generally what happens is that an attacker can Mess up with the external part of the website mostly but in the server side the attacker is able to change the code or many internal files.
How to start with Web Application Pen-Testing?
—————————————————————————————————————————————————————-
Enumeration -> Enumeration -> Enumeration -> Scanning -> Manual testing
—————————————————————————————————————————————————————–
So how to go for Enumeration -> Enumeration -> Enumeration
My way for getting a description of the website is Virustotal
Looking for subdomain go for Amass
Looking for any OSNIT info go for Spiderfoot
Looking for how the application is made using Wappalyzer
Check for the Components with known vulnerabilities like check for the server name and version which the site is working on, there might be chances that the server might be vulnerable to some RCE, INJECTIONS …etc
Check for Low-level vulnerabilities like SPF, HTTP headers, NO rate limiting …etc
After that, once the basic enumeration part is done I would like to go for,
The medium level and high-level vulnerabilities like XSS, injections, Idor, chain attacks, Privilege escalation..etc.
So this was my methodology for Web Application pen-testing.
Furthermore, Testing You can go through the Methodology given within the web application hackers handbook.
1) Analyze the application
2) Test for the client side workflow
3)Test the authentication workflow
4)Test for session management
5)Test for Acces controls
6) Test for Input based Vulnerabilities
7)Tests for business login errors
8) Test for privilege escalation
9) Test for Injection attacks
10) Test for server level attacks
Now let’s take an example,
Suppose there’s a Login page now, On the basic login page, we will be having a User name and password field, submit button, Forgot password and Terms and services page link.
Now here the client side attack will be like,
There’s a forgot password section in the login page, if the attacker gets a forgot password link such as
https://xyz.com/email=ascd@xyz.com&token=aaaasdfgfdhs1232#@$
Now here if the attacker is able to alter the email address and able to reuse the token or if he is successful in carrying out an HTTP pollution attack here, and if he is able to take over the account by this method then this attack can be called as a client-side attack.
Now on the same page, you can see that there is a terms and services field also, can you check the link given there? can we carry try to carry out an RFI (Remote file inclusion) attack there
https://xyz.com/page=terms
Suppose if the attacker is able to alter the PAGE parameter and successfully carry out his RFI there then this kind of attack can be called as Server-side attacks
So this was all about the service side and client side attacks
This was all about the web application pen-testing methodology, Do let me know if you need any help in web application pen-testing
In the next part, I would be discussing in deep about the Client-side attacks, ways to carry out an attack, its mitigations..etc
Hope you like it,
Till then, Happy Hacking.
Great Ninad!! Keep sharing your knowledge with others 🙂
Thanks for sharing!
Can you suggest some books which are good to learn website pen – testing.
Sure, Why not will add up books reference section in the blog, soon!
How much time did you take to master the Pen Test Skills?
This is a life long process, everyday something new will be coming you need to be updated with that, but this skill will come with time ,experience.
Is it possible to learn all the skills in One Month
No Completely but basics for sure