Application security issues are the most common issues for business today because of their complexity. Application security is related with the combination of; security of supporting infrastructure, hardening of supporting servers (such as application, database server) and the secure source code. |
The Web Application Testing
Methodology is divided into three distinct phases; Profiling, Assessment and
Exploitation.
Additionally,
testing will be performed for the Application's Network Infrastructure for
hosts and systems within the scope.
Profiling Phase
Information Gathering (Reconnaissance) Techniques will be performed to
gather as much information as possible about the Application's Site Structure
and Network Infrastructure.
Specifically, the following
techniques will be used to find and assess any security-related information:-
Information Gathering / Reconnaissance |
|
Crawling the Application: Using Crawling techniques
to identify all visible directories and scripts. |
Analyzing Traffic: Using HTTP Proxying techniques to analyze traffic (HTTP
Requests/Responses) between client's browser and the server, focusing on HTTP
Headers, Cookies, Forms (GET, POST), URL Parameters, Source Code and
Comments. |
Knowing the Application: Using the Application
normally from both unauthorized/authorized user perspectives -all different
privileged levels provided- to fully understand Application's functions and mechanisms. |
Architecture / Technologies: Identifying
Web/Proxy/Application/Database Servers, Load-Balanced/Firewall(IDS/IPS/WAFs)
Architectures, Frameworks (PHP,.NET, JAVA), Web Services (SOA/WOA/SaaS) and Structures (XML, JSON, RSS). |
Assessment Phase
Both automated and manual vulnerability assessment will be performed - based
on the information found from the Profiling Phase - against the Application's
Structure to ensure that all known and unknown vulnerabilities will be
identified.
Specifically, the following vulnerability assessment techniques will be
used:-
Vulnerability Assessment |
||
Site
Structure |
▪
Sitemaps (robots.txt, sitemap.xml, etc.) ▪
Hidden Structure (Brute-forcing for Files/Directories, Old/Backup Files,
etc.) ▪
Directory Listing / Indexing |
▪
Error Handling ▪
Information Leakages (Error Messages, Comments, etc.) ▪
Client-Side Input Validation and Sanitization ▪
Lack of Patching |
Input
Validation / Sanitization |
▪
Buffer Overflows Attacks ▪
Format String Attacks ▪
Injection Attacks (OS/SQL/LDAP/XML/SSI/SMTP/Code) ▪
File Inclusion Attacks (Local/Remote) |
▪
Cross-Site Scripting (XSS): Reflected/Persistent/DOM-based ▪
XML eXternal Entity Attacks (XXE) ▪
URL Redirection to Untrusted Site (Open Redirect) ▪
Path Traversal |
Authentication |
▪
Authentication Functions Review (Log-In, Log-Out, Remember Me, Password
Change/Reset, Register) ▪
Username / Password / Lock-Out Policy Review |
▪
Account Enumeration Possibilities ▪
Replay Attacks ▪
Credentials over unencrypted channel |
Session
Manipulation |
▪
Cookies Attributes (httponly, secure, path,
domain) ▪
Concurrent Sessions ▪
Session Riding / Cross-Site Request Forgery (XSRF) ▪
Session Prediction |
▪
Session Fixation ▪
Session Hijacking ▪
Session Expiration ▪
Tokens over unencrypted channel |
Application
Logic / Misconfigurations |
▪
General Application Logic security flaws and Misconfigurations that could
allow a user to do something that isn't normally allowed by the Application
(e.g. Removing money from a user's bank account by sending her a negative
amount of money) |
Exploitation
Phase
At the exploitation stage we will try to exploit and validate the existence
of the identified vulnerabilities. Both online and offline password cracking
techniques (e.g. Guessing, Dictionary, Hybrid, Brute-force) will be performed
against password hashes (e.g. MD5) and/or authentication points found from
previous steps of testing. In case of successful exploitation we will try to
escalate privileges within applications, hosts and networks.