Cyber-Stalin_Blog-20
Methodology For Web Application Pentesting

A Detailed Guide to Our Web Security Assessment Approach

In this blog post, we explore Cyberstalin.com comprehensive methodology for conducting thorough web security assessments. Our approach is designed to identify existing security gaps through a process-oriented audit.

Initiating the Project and Setting Objectives

The initial planning phase involves establishing testing goals and objectives, agreeing on rules of engagement, and securing formal management approval. These preparatory steps are crucial for laying the groundwork for a successful audit.

Establishing Rules of Engagement and Securing Permission

Penetration testing simulates an attack using tools and techniques that may be restricted by law. Therefore, obtaining formal permission is essential. This permission, known as the rules of engagement, should outline:

  • Specific processes within the scope that need review
  • Points of contact for respective process owners
  • Protocols for handling information collected during the audit

Methodology Overview

Planning Phase

During the planning phase, the scope and objectives are identified and communicated between clients and security professionals. This helps determine the optimal timing for testing and resource availability. An execution plan is then created and communicated to the clients.

Information Gathering

Information gathering involves processes and techniques (footprinting, scanning, and enumeration) used to covertly discover and gather information about a target system. The objective is to collect as much data about the target as possible.

Findings Summary

The following table provides a comprehensive overview of the information-gathering process for the EXAMPLE application, categorized by specific areas:

CategoryDetails
Technology StackInformation on the technologies used
Directory EnumerationDetails of the directory setup
Web Server VersionVersion of web server
WAFInformation on Web Application Firewall

Technical Details:

  • Directory Enumeration: Systematically scanning and identifying directories and subdirectories on a server or website. This unveils concealed URLs and maps the application’s structure, aiding in security assessments and vulnerability identification.
  • Application Environment Stack Details: Enumerating details such as web server type, programming languages, and libraries, providing insights into the technical infrastructure for optimization and security purposes.
  • Web Application Firewall (WAF) Status: Identifying the absence of a WAF, which serves as a crucial defensive layer for monitoring and filtering incoming web traffic.

User Information Gathering: Information about EXAMPLE users was gathered from various sources including Maltego, LinkedIn, Google, Twitter, and Facebook. These details were then mapped based on their roles to facilitate authentication bypass attacks in services.

SNNameEmail AddressPosition
1John Doejohn.doe@example.comManager
2Jane Smithjane.smith@example.comDeveloper
3Bob Johnsonbob.johnson@example.comAnalyst

Identifying and Exploiting Vulnerabilities

In this phase, attack surfaces are identified using a combination of manual and automated methods. Threat modelling helps pinpoint potential attack vectors, which are then exploited. Key considerations include hardening measures, cryptography issues, authentication and authorization controls, session management, business logic flaws, and validation measures. All actions are executed in strict accordance with the agreed rules of engagement.

Reporting and Providing Remediation

All identified security vulnerabilities are documented with associated CVSS v3-based scores and reported to the client. Each vulnerability is thoroughly assessed, and appropriate recommendations or mitigation measures are provided.

Verifying Fixes and Closing the Assessment

Upon confirmation of vulnerability closure by the client’s product team, we retest to ensure the issues have been resolved. A detailed retesting report is then provided.

Assessing Web Application Risk

Cyberstalin.com evaluates web application risk by considering two key factors:

  • Exploitation Likelihood: Measures how easily a vulnerability can be exploited.
  • Potential Impact: Gauges the potential business impact on the environment.

By analysing these elements, Cyberstalin.com determines the risk level for each web application, aiding in the prioritization of security measures.

Threat Modelling

Threat modelling is a structured methodology employed in cybersecurity to identify, evaluate, and address potential security risks and threats that could affect a system, application, or organization.

The primary objective of threat modelling is to proactively uncover vulnerabilities and weaknesses in a system that could be exploited by malicious actors. This approach enables organizations to anticipate and mitigate security threats before they can cause harm, ensuring a more secure and resilient infrastructure.

The below screenshot shows the mobile application decomposed to identify the threats on the application:

Case Study: EXAMPLE Web Application Penetration Test

We conducted a comprehensive Web Application Penetration Test for an “EXAMPLE” application. Using a blend of commercial and proprietary tools, we mapped and gathered information about the site. Custom tools and scripts were employed to identify unique vulnerabilities.

Our skilled assessors performed manual analysis, testing for key security flaws, including those outlined in the OWASP Top 10 Vulnerabilities list. Vulnerabilities were categorized based on several factors such as asset criticality, threat likelihood, and vulnerability severity.

Exploitation of Vulnerabilities

Based on the previously obtained information, we executed vulnerability tests on the “Example application” using a combination of manual and automated approaches. For each vulnerability, we provided a description of its exploitation, its consequences, and preventive measures. Below are some examples of the vulnerabilities found during the assessment:

1- Multiple SQL Injections in the Application

It was observed that the application includes a parameter named “searchdata,” which has been identified as susceptible to Time-Based & Error Based SQL Injection attacks. This type of vulnerability arises when user-provided data is inadequately sanitized before being used in database queries.

Attackers can exploit this flaw by inserting crafted input that disrupts the intended query structure, potentially allowing unauthorized access to sensitive data, manipulation of database contents, execution of administrative tasks such as shutting down the database management system, retrieval of files stored on the database server, and in some cases, issuing commands to the underlying operating system.

Affected Resource

URLParameterSeverityCVSS
http://localhost/eahp/ambulance-tracking.phpsearchdataCritical10.0

Proof Of Concept (PoC)

During the assessment, we observed the following:

1. The screenshot below shows the “Ambulance Tracking” functionality, where in “searchdata” parameter some random alphabets were inserted .

    2. The screenshot below shows the request and response of the above functionality, where some random alphabets were  inserted in the “searchdata” parameter.

    3. The screenshot below shows a mysql error in the response, when a ‘ (single quote) was inserted along with the random alphabets in the “searchdata” parameter. This shows us that the application might be vulnerable to Error-Based SQLi.

    4. The screenshot shows the “searchdata” parameter with a time based payload we created, where the application responds after “2” seconds.

    5. We changed the payload value to SLEEP(5), which in turn makes the application respond after “5” seconds.

    6. We then automated the process of listing all databases using a tool called SQLmap. This revealed that the “searchdata” parameter is vulnerable to Boolean-based, error-based, time-based blind, and Union-based SQL injection attacks.

    Impact

    An attacker can use this vulnerability to execute SQL queries to fetch data from the database, further, it is possible to dump the database.

    Remediation

    • Use the parameterized queries with stored procedure in the application for all SQL queries.
    • Sanitize the data before storing it in the database, prefer using character encoding.
    • Double up any quotation marks appearing within user input before incorporating that input into a SQL query.

    References

    https://owasp.org/www-community/attacks/SQL_Injection

    2- Unauthenticated Stored Cross Site Scripting (XSS)

    It was observed that the application is vulnerable to unauthenticated stored XSS vulnerability. This type of vulnerability occurs when user input is stored on the server-side without proper validation or sanitization, and later displayed to other users without adequate encoding.

    Attackers can exploit this vulnerability by injecting malicious scripts into the application, which are then executed in the context of other users’ browsers when they access the affected page.

    Affected Resource

    URLParameterSeverityCVSS
    http://localhost/eahp/Multiple ParametersHigh8.1

    Proof Of Concept (PoC)

    During the assessment, we observed the following:

    1. The screenshot below showcases the “Hire an Ambulance” functionality, which is available without signing in and includes multiple parameters.

    2. In the screenshots below, we inserted basic JavaScript payloads and clicked the “Submit” button, successfully sending the request.

    3. The screenshot below shows that after logging in as “Admin” the above request is viewable.

    4. As shown in the screenshot below, after clicking on the new request, the XSS payloads are then executed on the admin’s web browser.

    5. The screenshot below shows that all the javaScript payloads have been incorporated into the source code without proper sanitization, leading to a stored XSS vulnerability.

    Impact

    Attackers can steal session cookies, allowing them to impersonate users and perform actions on their behalf. Confidential user information such as passwords, credit card details, and personal data can be stolen.

    Remediation

    • Implement strict input validation on all user-supplied data to prevent malicious scripts from being stored.
    • Encode user-generated content before displaying it to other users. Use encoding functions appropriate for the context (e.g., HTML entities encoding).
    • Implement a robust CSP to restrict the sources from which scripts can be loaded, reducing the impact of successful XSS attacks.

    References

    https://owasp.org/www-community/attacks/xss

    Conclusion

    In conclusion, our approach to web security assessments is rooted in meticulous planning, comprehensive testing methodologies, and proactive threat mitigation strategies. By employing a structured process that includes detailed planning, thorough information gathering, vulnerability identification, and exploitation testing, we ensure that our clients’ web applications are robustly defended against potential threats.

    If your organization is looking to fortify its web defences, Cyberstalin.com offers expert penetration testing services tailored to your specific needs. Our skilled professionals use a blend of commercial and proprietary tools to uncover vulnerabilities and provide actionable recommendations to mitigate risks effectively.

    Get in touch with us today to schedule a penetration test and safeguard your digital assets with confidence!

      Share this content:
      Related posts: