Web Application Pentesting: Not Just Checklists

Introduction

• Presenter: Chris Dale, Principal Instructor at Science, Co-founder and CEO of River Security
• Objective: Showcase a methodology for web application pentesting beyond basic checklists.
• Common perception: Web application pentesting is boring and repetitive (checklists for vulnerabilities).

Importance of Web Applications

• Web applications are ubiquitous; often more web servers than you think in any given environment.
• Potential for high value returns in pentesting.
• Learning curve for web application security is lower than other areas (e.g., exploit development).
• Many see web apps as boring; aim to make them more engaging and interesting.

The Dunning-Kruger Effect

• Individuals with limited knowledge may overestimate their understanding of web app security.
• As they learn more, they realize how much there is to learn.
• Emphasis on hidden attack surfaces and opportunities for discovering vulnerabilities (zero days, etc.).

Common Vulnerabilities

• OWASP Top 10: Important, but not comprehensive.
• Portswigger Top 10 Attacks: Example - Server-Side Cache Poisoning.
• Need to explore beyond the standard vulnerabilities to find unique problems.

Tools for Web App Pentesting

• Burp Suite:
  • Preferred tool for pentesters.
  • Features: Proxy log, intercepting proxy, sitemap, vulnerability scanner, extensions.
  • Community edition available, but with limitations (no active scanner, throttled speed).
  • Extensions to consider: Active Scan Plus+, Backslash Power Scanner, Param Miner, Turbo Intruder, Software Vulnerability Scanner, Collaborator Everywhere, Authorized.

Methodology Overview

• Upside-down pyramid structure:
  1. Content Discovery
  2. Fuzzing
  3. Hypothesis and Test Cases
  4. Business Processes and Logic Flaws
  5. Tools
• Importance of thorough content discovery to avoid missing vulnerabilities.
• Team-based efforts encouraged for pentesting.

Content Discovery

• Objective: Find all content and mapping of attack surfaces.
• Importance of discovering hidden or unlink content (e.g., admin pages, debug functionality).
• Use of built-in crawlers is helpful, but manual discovery is essential.
• Explore modern applications with a focus on JavaScript frameworks (e.g., React, Angular).
• Utilize tools like JS Parser, CyberChef for file path extraction.

Fuzzing

• Importance of manual input testing in addition to automated scanning.
• Engage your brain and knowledge: Review how scripts function and test edge cases.
• Fuzz every character (0x00 to 0xFF) to discover anomalies or unexpected behaviors.

Hypothesis and Test Cases

• Build test cases based on experience and knowledge of similar applications.
• Collaborate with the team for brainstorming and sharing ideas regarding vulnerabilities.

Business Processes and Logic Flaws

• Explore application logic from a business perspective, not just technical.
• Identify potential weaknesses in user flows, race conditions, file upload vulnerabilities.

Frameworks and Methodologies

• Acknowledge both the pros and cons of existing frameworks.
• Suggest creating minimum viable pentest methodologies based on past experiences.

Tools and Techniques

• Utilize various tools based on target technologies (e.g., IAS shortname scanning, WordPress scanners).
• Collaboration is crucial; maintain a shared repository of useful tools and methodologies.

Conclusion

• Emphasize that pentesters should leverage their knowledge and experience over solely relying on tools.
• Encourage continuous learning and updating of methodologies based on findings and experiences.
• Speaker's contact information for further engagement and networking.

• Note: Slides and additional resources will be available for attendees.