Application Testing

Application security issues are the most common issues for business today because of their complexity. Application security is related with the combination of; security of supporting infrastructure, hardening of supporting servers (such as application, database server) and the secure source code.

The Web Application Testing Methodology is divided into three distinct phases; Profiling, Assessment and Exploitation.

Additionally, testing will be performed for the Application's Network Infrastructure for hosts and systems within the scope.

Profiling Phase

Information Gathering (Reconnaissance) Techniques will be performed to gather as much information as possible about the Application's Site Structure and Network Infrastructure.

Specifically, the following techniques will be used to find and assess any security-related information:-

Information Gathering / Reconnaissance

Crawling the Application: Using Crawling techniques to identify all visible directories and scripts.

Analyzing Traffic: Using HTTP Proxying techniques to analyze traffic (HTTP Requests/Responses) between client's browser and the server, focusing on HTTP Headers, Cookies, Forms (GET, POST), URL Parameters, Source Code and Comments.

 

Knowing the Application: Using the Application normally from both unauthorized/authorized user perspectives -all different privileged levels provided- to fully understand Application's functions and mechanisms.

Architecture / Technologies: Identifying Web/Proxy/Application/Database Servers, Load-Balanced/Firewall(IDS/IPS/WAFs) Architectures, Frameworks (PHP,.NET, JAVA), Web Services (SOA/WOA/SaaS) and Structures (XML, JSON, RSS).

Assessment Phase

Both automated and manual vulnerability assessment will be performed - based on the information found from the Profiling Phase - against the Application's Structure to ensure that all known and unknown vulnerabilities will be identified.

Specifically, the following vulnerability assessment techniques will be used:-

Vulnerability Assessment

 

Site Structure

 

       Sitemaps (robots.txt, sitemap.xml, etc.)

       Hidden Structure (Brute-forcing for Files/Directories, Old/Backup Files, etc.)

       Directory Listing / Indexing

       Error Handling

       Information Leakages (Error Messages, Comments, etc.)

       Client-Side Input Validation and Sanitization

       Lack of Patching

 

Input Validation /

Sanitization

 

       Buffer Overflows Attacks

       Format String Attacks

       Injection Attacks (OS/SQL/LDAP/XML/SSI/SMTP/Code)

       File Inclusion Attacks (Local/Remote)

       Cross-Site Scripting (XSS): Reflected/Persistent/DOM-based

       XML eXternal Entity Attacks (XXE)

       URL Redirection to Untrusted Site (Open Redirect)

       Path Traversal

 

Authentication

 

       Authentication Functions Review (Log-In, Log-Out, Remember Me, Password Change/Reset, Register)

       Username / Password / Lock-Out Policy Review

       Account Enumeration Possibilities

       Replay Attacks

       Credentials over unencrypted channel

 

Session Manipulation

 

       Cookies Attributes (httponly, secure, path, domain)

       Concurrent Sessions

       Session Riding / Cross-Site Request Forgery (XSRF)

       Session Prediction

       Session Fixation

       Session Hijacking

       Session Expiration

       Tokens over unencrypted channel

 

Application Logic / Misconfigurations

 

       General Application Logic security flaws and Misconfigurations that could allow a user to do something that isn't normally allowed by the Application (e.g. Removing money from a user's bank account by sending her a negative amount of money)

Exploitation Phase

At the exploitation stage we will try to exploit and validate the existence of the identified vulnerabilities. Both online and offline password cracking techniques (e.g. Guessing, Dictionary, Hybrid, Brute-force) will be performed against password hashes (e.g. MD5) and/or authentication points found from previous steps of testing. In case of successful exploitation we will try to escalate privileges within applications, hosts and networks.