Web Application PenTesting Part 1 (Methodology)

Hello Guys, Ninad here I hope you are doing good, so today’s topic is How to start with web application pen-testing. I would be dividing this Web Application Pentesting into 3 parts,


Part 1) Methodology.
Part 2) Client-side attacks.
Part 3) Server-side attacks.

In Part 1 Methodology, I would be Sharing my knowledge with you about How to start with Web Application pen-testing?
In Part 2 Client-side attacks, I would go in detail for client-side attacks like How to attack? How to mitigate? What are the client side attacks?
In Part 3 Server-side attacks, I would go in detail for Server-side attacks like How to attack? How to mitigate? What are the client side attacks? What is the attack scenario’s ..etc.

So Generally, What is Pen-testing?
As of me,

It’s a practice implemented to mitigate security threats in any domain

Here we are going to discuss Web Application Pen-testing, There’s one point which I would like to make it clear that web application pen-testing is totally different than bug bounties. So Don’t get confused with it.

How to Start Web Application Pen-testing?

There are some security testing standards In web application pen-testing which you would like to follow Such as
1) OWASP (Open Web Application Security Project)
2) SANS (Sysadmin, Audit, Network And Security )
3) OSSTMM ( Open source SecurityTesting Methodology Manual)
4) ISSAF ( Information Systems Security Assesment Framework)

If you would ask me How to?

I would start with basic’s, one should have basic knowledge of how a web application works, some programming knowledge like HTML, CSS Javascript, PHP, MYSQL..etc.
basically, if you have the above then you are good to start web application pen-testing. After this, you Should get know how a web application works its workflow, like what is HTTP? https? …etc.

How would you go for it? let divide the web application pen-testing into two parts
1) Client side pen-testing
2) Server-side pen-testing

Client-side pen testing:

Client-side attacks are quite different. These are attacks that target vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. If a client does not interact with a server, it is not at risk, because it doesn’t process any potentially harmful data sent from the server. Client-side pen-testing may consist of vulnerabilities which often takes the form of unpatched software on a desktop or laptop. Depending on the nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Some targets include Web Browser’s, Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.

Some of the client side attacks might be like XSS, redirects, Phishing, Clickjacking, IDOR ..etc

Server-side Pen-Testing:

Server-side attacks seek to compromise and breach the data and applications that are present on a server.
Server-side attack target web server for downloading or viewing files like scripts, web shells, configuration files without proper authorization. Most of the time server-side attacks don’t require user interaction. These attacks can be used with web servers. We can also use them against a normal computer that people use every day. Some of the server side attacks are like RCE, Shell Uploading, RFI..etc.

In client-side attacks generally what happens is that an attacker can Mess up with the external part of the website mostly but in the server side the attacker is able to change the code or many internal files.

How to start with Web Application Pen-Testing?

—————————————————————————————————————————————————————-

Enumeration -> Enumeration -> Enumeration -> Scanning -> Manual testing

—————————————————————————————————————————————————————–

So how to go for Enumeration -> Enumeration -> Enumeration

My way for getting a description of the website is Virustotal
Looking for subdomain go for Amass
Looking for any OSNIT info go for Spiderfoot
Looking for how the application is made using Wappalyzer
Check for the Components with known vulnerabilities like check for the server name and version which the site is working on, there might be chances that the server might be vulnerable to some RCE, INJECTIONS …etc
Check for Low-level vulnerabilities like SPF, HTTP headers, NO rate limiting …etc

After that, once the basic enumeration part is done I would like to go for,
The medium level and high-level vulnerabilities like XSS, injections, Idor, chain attacks, Privilege escalation..etc.

So this was my methodology for Web Application pen-testing.

Furthermore, Testing You can go through the Methodology given within the web application hackers handbook.
1) Analyze the application
2) Test for the client side workflow
3)Test the authentication workflow
4)Test for session management
5)Test for Acces controls
6) Test for Input based Vulnerabilities
7)Tests for business login errors
8) Test for privilege escalation
9) Test for Injection attacks
10) Test for server level attacks

Now let’s take an example,

Suppose there’s a Login page now, On the basic login page, we will be having a User name and password field, submit button, Forgot password and Terms and services page link.


Now here the client side attack will be like,
There’s a forgot password section in the login page, if the attacker gets a forgot password link such as

https://xyz.com/email=ascd@xyz.com&token=aaaasdfgfdhs1232#@$

Now here if the attacker is able to alter the email address and able to reuse the token or if he is successful in carrying out an HTTP pollution attack here, and if he is able to take over the account by this method then this attack can be called as a client-side attack.

Now on the same page, you can see that there is a terms and services field also, can you check the link given there? can we carry try to carry out an RFI (Remote file inclusion) attack there

https://xyz.com/page=terms

Suppose if the attacker is able to alter the PAGE parameter and successfully carry out his RFI there then this kind of attack can be called as Server-side attacks

So this was all about the service side and client side attacks
This was all about the web application pen-testing methodology, Do let me know if you need any help in web application pen-testing

In the next part, I would be discussing in deep about the Client-side attacks, ways to carry out an attack, its mitigations..etc

Hope you like it,

Till then, Happy Hacking.

8 Comments

Leave a Comment

hi_INHindi