Friday, August 23, 2013

Juicy Areas of Web Application For Pentesters

In this tutorial I am going to write small things which everyone knows already but I am trying to convey it in another manner of checklist. I am going to talk on some juicy areas for pen tester. Mainly it will be focusing on fingerprinting concept. While doing fingerprinting of any website, which are the areas mainly a pen tester or web application security analyst should target at high priority.

First thing to check is the server name and the version information. This information is really helpful to pen testers because older versions have already exploits in market. So If they got older server version they can directly check whether that exploit is working or not.

It is necessary to check whether application is used in back-end or not. I have seen some security analysts in my life who are trying to scan website in each and every tool to find vulnerability and they have come up with nothing. Then they realized that scanning tool is only scanning html pages in it. By checking manually they came to know that website is static. It is not dynamic website which uses programming language such as JAVA, PHP and .NET. So it is better to check whether its using any application before you test the website.

To test so keep below things in mind.

  • Find login page for user.
  • Find registration page.
  • Find Leave your comment section.
  • Find any search filtration system.(Eg. Flipkart, Ebay)
  • Find Payment transaction system.
  • Downloading section to download content from server.
  • Determining the URL if it is having any parameters and their values or not.

  1. Another good mechanism of fingerprinting is determining the client side and server side language. Its the best way to reduce your efforts in testing website.
  2. Keep track of interesting functionalities such as downloading mechanism. While downloading always see the URL structure.
  3. Always keep the track of authentication mechanism, authentication form, authentication links, logout mechanism and password recovery mechanism.
  4. Measure where are your data entry points from where user can input some data to the server.
    Eg: Search box, Leave a comment, Contact us, Submit News, Submit Post
  5. "Leave a comment" section is always wonderful to watch.
  6. Search if you can find robots.txt file available on server. It can disclose many things.
  7. Generating random strings of mixed characters with special characters and giving it to any input filed to generate 404 error. 404 error revels sometime back-end information how server and folders lying on server are organized. For more information see below pic