all right hello hello I've got this talk web application pentesting is not just checklists after I was talking to a friend of mine he said pentesting is boring because it's all just checklists going through testing for X paath xsql injection htl injection just walking through long lists checklists and so on that is not my opinion of web application pen testing so I put together this talk to basically showcase methodology that helps pentesters find vulnerabilities that are not just checklists vulnerabilities that are well not discovered by anyone before vulnerabilities that are say undefined at the moment I want pentesters to approach an application from say a point of view where you don't need to know about every single vulnerability to to be able to test it adequately I have some ideas that I hope you will find useful my name is Chris Dale I am a principal s instructor I teach for science I've been doing so for 10 years plus and I'm also the co-founder and CEO of a pen testing company called River security where we do all kinds of exciting stuff such as offensive Security operation centers always on pentesting attack surface management and frankly it is great have a little list of certification Etc but in short my primary skill set is instant response throwing the baddies out again from customers and also showing customers how to get how they get broken into in other words pent testing I have a background in software development it Operations Security Management and also now well building a cool company we are three and a half years old at the moment I'm in Brussels right now teaching a class class on daytime and I'm doing this extra stuff in the evening for fun because I love you all I love the community I love our industry and frankly it is really exciting uh River security 13 people at the moment we are homegrown no private Equity no Venture Capital it's a great company to work with and tons of great people working with us so check us out anyways let's begin my presentation so web pen testing why this talk because well to be honest with you web applications are everywhere right now in this room I'm sitting here with my two laptops there's a projector there's a webcam and so on and I bet you that there are more web servers in this room than just my two laptops there's probably a a web app on the projector I'm sure I can remotely control the web app in some kind of the projector in some kind of web app absolutely certain Maybe maybe even some of the lights in the room have web apps web apps probably a web app on the heating and ventilation control panel it is ubiquitous my laptops have several web applications running right now VMware for example can be remotely controlled or administrated with a web application so definitively web apps is a great place to be it has a huge potential in terms of like return on value that we can provide to our customers and the learning curve is not that steep it is not like say reverse engineering exploit development is easier to get into web application security if you ask my personal opinion many people do consider web apps to be boring I'm going to make it become less boring I'm going to take sexy back into web apps they are really awesome when you understand them and when you get into the testing also there is a lot of opinions within pent testing the dunant Krueger effect where people who don't necessarily know that much think they know everything because well they don't know that much and as well they start to learn more and more about web apps they realize wow how little they really knew there is a lot of potential inside of web apps there's lots of hidden attack surface lots of opportunities to find zero days CVS and so on so this talk hopefully will shed some light that there's more to web apps than what might meet the naked eye also it is a great place to be in so many of you have heard of the ovas top 10 and yeah we need a pentest a test for ovas top 10 Let's test for injection Let's test for this and that and blah blah blah overas top 10 is great but it's not a single social of Truth it is the most common vulnerabilities but that doesn't mean you shouldn't test for or something else in fact portswigger my heroes over at ports wigger they created the ports wigger top 10 attacks for example number seven worldwide server side cash poisoning on all Akamai Edge notes wow do we understand that technique can we employ those techniques against our customers not just Akamai but maybe we can learn something from that what about for example say uh say for example um psychic signatures in Java or dirty dancing in signin o off flows there's just so much potential in web apps a lot more than what meets the naked eye and I hope I will make it engaging and interesting for everybody basically via methodology that will help you find interesting use cases this talk might be a little bit long because I want to walk through our methodology that we use at River security shared with with you so you can build your own so let's see what we got here click the button change slide there we go first of all the tool of choice when testing web apps is going to be a browser and a proxy a local proxy and a attack proxy that can help you automate script and find and and help you have control over things I'm a big fan of burp suit the commercial Edition is amazing it has all the features that I need to make stuff happen I need to be able to have a proxy log I need to have intercepting proxy to be configurable I need to have a site map I need to have a vulnerability scanner I need to have extensions I need a very detailed log of all of the work and scanning activity that we're doing burp suit is just simply amazing it supports a lot of fussing requirements that we have for example I need to fuss for bites I need to fuss with wordless and so on in all it it is amazing great spidering support it has been developed quite a bit over the last few years where we now support spidering and crawling discovering contents on single page applications it is not perfect yet but the crawler or spider as it is in it in its current state will do things like clicking on buttons and seeing how the document object model works and changes and basically help you build out that sitemap it is a good starting point so I very much like burp suit you should check it out if you need a free alternative there is a community edition of burp that you can use it is decent it doesn't have the active scanner that means vulnerability scanning it lacks a lot of the extens extensions that you want to use it also will be throttled that means that it will slow down the speed when you fuss things but again it is free another free alternative is ovas zap the send attack proxy which kind of looks and feel like burp suit it's nearly there to me it doesn't just feel right I have used burp suit for so many years I forgot to count I'm no longer counting so I just love it okay it's a nice tool I've also created cheat sheets on Burp suit so be sure to check out the cheat sheets to be well get some information about say how you can use control R to send to the repeater so you can quickly repeat request control I to send it to the Intruder so you can quickly start fussing how we can URL decode encode and all kinds of tricks and tips in the bag for you when you're using burp suits so that's a cheat chit that I got out there some of the most important extensions that I recommend you look at is first active scan Plus+ it will extend your vulnerability Scanner with some extra nice to have checks I recommend the backslash power scanner which will cause a lot more false positives when you're scanning and doing vulnerability scanning essentially however the false positives are things for us to investigate and discover if it's a vulnerability or not backs slow scanner looks for transformations of data it will basically try to automate finding anomalies and discrepancies for you as such creating more false positives but really if you have the skills necessary to do web application pen testing you should be able to conclude those false positives and hopefully many of those findings from back slowers scanner will lead you into interesting paths potential vulnerabilities potential questions for your customer and more we got the param miner which is super helpful in discovering what we call unlink parameters say say in a URL you have the get parameters and we want to discover if there's any get param parameters say like admin equals 1 or has credentials equals whatever we want to automate that discovery of unlined get parameters headers and cookies and param Miner does a really good job high performance in discovering when a parameter makes the web application change so that it can single out those parameters that are most interesting nice to have extensions Turbo Intruder is nice for automating your attacks testing race conditions and doing large fast attacks across an application lots of potential in the turbo Intruder on their GitHub there's also some examples and demos of the turbo Intruder so be sure to check that out we got the software vulnerability scanner which is nice in terms of finding if there's cves common vulnerabilities and exposures basically potential vulnerabilities in the software that you have found on the web app like Library and so on we got the collaborator everywhere which is used to basically add what we call the burp collaborator in all kinds of headers and so on to see if you can make any external server interaction if you can make this server or something between you and a server like middleware cause some kind of call back like a DNS lookup a HTTP lookup SMTP it could be anything and the collaborator allows us to well find that kind of data so the collaborator everywhere adds it everywhere for us so we can use it a part as as part of some of our testing then we have authorized which essentially allows you to test an application with and without sessions with or without authorization so you're logged into the application you click around and some of those features that you click around into might be available from an unauthentic unauthenticated point of view authorized helps you automate the testing with and without credentials so that you can get a report that allows you to zoom into the details of say missing authorization faster and quicker there's Al all sorts of extra extensions as well in burp suit I'm not going to go walk through all of these there is a lot of them some are great some are no longer maintained some are new and should be checked out so I recommend that you go into the extension overview in burp suit and check out what kind of extension they have now let's move into the methodology shall we so the methodology that I've built together with River security is an upside down pyramid this pyramid contains from where we spend the most time more or less down to where we spend the least amount of time or where like the the final parts of the process is and that's going to be the tools we start with content Discovery we move into fussing we move into hypothesis and test cases business processes and logic flaws and then we might have Frameworks that allow us to test for certain things and finally we got the tools at the end this methodology is what I will be walking through for us in this YouTube video I'll walk through what each of these steps mean I will indicate or or help you understand that you might need to go back I will tell you that you might start running tools in the beginning and that's fine as long as you don't skip the previous steps we're going to be okay I wanted to build this methodology to make sure that the attack surface the application is Thoroughly discovered so that you leave no stone un unturned you must find every possible entry point to the application otherwise there could be some super low hanging fruit available to another hacker that you failed to find because you didn't do a good good job content discovering for example I also want to encourage team-based efforts so that it's not a solo pentest that but instead you work together with your team when you're doing your pent tests and I want to make sure that we have a strong knowledge sharing and building of test cases and hypothesis together with the team so we can make each other stronger during our pentests solo pentests you do that pentest you do that one and then that's me meet in two weeks and and basically start something new I don't like that approach I want us to collaborate more more so that's going to be the methodology let's move into content Discovery first the goal is to find absolutely everything we cannot allow ourselves to have scripts or functionality that we just missed out on that we didn't find we need to ensure that we map all browsable attack surface that we find as much unlink contents say hidden scripts and input parameters and so on as possible and for each basically do this for each different part of the application imagine that an application has different platforms when you access the application from one point of view you will find you will see that it runs on this kind of Stack like a middleware and when you access it from another point of view you might be reaching into other parts of the application or a different stack so I'm going to zoom into that here in a second so find as much attack surface as possible and what you might discover is that the vulnerabilities that are the most juicy the most interesting are the ones where the path is least traveled those places that nobody else managed to find those places that has some old debug functionality some admin functionality that hasn't been maintained or updated in Forever those are the really interesting places where you could strike gold essentially so let's take a look at platform distinctions first so an application has different users going into it and maybe you access the application via some kind of middleware solution here some reverse proxy a load balancer or something like that or just maybe you have a server that has different deployments or it hosts an application that have a VI a wide different application code based on where you navigate in the application you want to discover such well such distinctions because you need to repeat parts of the model based on what part of the application you're hitting say maybe if you go to the slash users with some get parameter for example you might be sent to one part of the application that is responsible for the user Behavior but if you go to the slash of the application or help you are actually sent to another part of the application so in such cases it's it becomes important for us to ensure that we do thorough testing on each platform distinction not only just scripts and endpoints and so on but we need to do things like guessing of folders and directory and files guessing parameters and so on for each platform distinction so what we do first is during our content discovery we have an objective to map everything we want to browse the entire application we want to click use discover as much as we can find by just using the application and perhap perhaps equally important to learn what does this application do what is the meaning behind these functions that I'm using and clicking through when we do all of this work you will see that we will find a site map or we will build a site map that allows you to have an overview of say your progress in the pen testing and also an overview of the functionality that exists the burp suit crawler is pretty good has been upgraded as I said it will help you build the S map but don't solemnly rely on the crawler okay the spidering or The Crawling feature of your attack proxy your burp suit and so on is a compliment or supplement to your process you need to also do manual content Discovery based on how you know the target based on what features you believe it to be exposing and so on we need to apply intelligence to the content Discovery you will also find that modern applications have a lot of JavaScript lots of references to well things that could hold more functionality so when we have JavaScript say for example in a single page application angular react nextjs etc for those javascripts first of all you should understand how they're used say in a nextjs application there's a lot of JavaScript which is for the framework and for for basically you using next but some parts of the JavaScript is actually for the application which has been coded by your developers those javascripts we should ex make sure that we extract all file paths and references perhaps even study it a little bit to make sure do we understand what's going on here and to make sure that we get grab all of those API paths and file and endpoints and so on so on that this JavaScript could be referencing it's a way to help build out the sit map so there's a couple of tools that you can use we have for example js parer on GitHub you got plugins like Gap but to be honest with you I'm a big fan of cyberchef and cyberchef has an extract file pth module which is pretty good so you could beautify the JavaScript and then you can extract file paths and you can scroll through it and make sure that you leave no stone unturned then we are going to continue with our content Discovery methodology or process we want to find unlined content so we want to make sure that we take say every function and verb and see if we can find more functionality inside of an endpoint so we have say for example say action equals show user and an ID equals one to3 in this case we have a function that we can fuss the action we got the ID we can fuss and see if we can discover more and we also we have a verb we can fuss show user if there is a show user well who knows maybe there's an add user delete user hide user you don't know necessarily until you have tried especially when we're typically coming from a zero knowledge type of point of view if you have access to the source code good for you that will help you you should also consider using word lists to help you discover more say verbs and functionality in application there is a lot of built-in word list into burp suit that will give you a solid starting point the ones that I like to use is called server side variable names form field values and form field names you add all of those word list in your little Intruder tool for example you click D duplicate and now you have several thousand words that could give you some solid indicators if there's more functionality or not also we should use and create word lists based on what we learn about the target a word list will be a list of possible words possible things that represent this company those kinds of word lists are really useful to help us well build more targeted word lists that could find more content and functionality for us say for example we have a website which does something with PDFs right PDF files or zip files or whatever Heating and ventilation it doesn't matter whatever concept this website is all about think about that for a second and see if you might be able to build a word list on it in this case I am running basically grep on a huge repository of tons of tons of word list that my company have built that we found online and so on that we're using and managing and so on I'm using grep I'm saying hey I want to look for anything that say starts with PDF and has any characters following right I go through all my word lists and I want to have any word mentioning anything with PDF just because you never know there could be some interesting words in in many of those word lists so that's a way to well rapidly generate a new word list on the Fly here is an example where we're looking through so fussing verbs we're looking through an application trying to see if we can find more functionality and we have a little URL that indicates a a get parameter page equals 872 all right I wonder what happens if I fuss that parameter so if there's page maybe there's something called query page step Page search page who knows we don't know until we try so in this case we are basically using the burp Intruder to go through the website rivers. and we're fussing the keyword before page we are try everything before page and just like that when we put in debug page we get a different content length than the others and that could mean that hey there is some such a feature called debug page that could give us relevant information as pentesters there's also built into burp suit and many other open source tools content Discovery so instead of doing all of this yourselves you can rely no sorry not rely you can support yourself with Automation and the content Discovery feature of burp suit is decent what you will do is you will right click on the platform distinction whether it's the slash or whether it's the help or admin whatever you right click go content discover and you can then say I want to discover F and directories I want to recurse a certain level down consider taking this default value down from 16 to maybe two or three and then you want to say I want to use the built-in word list that is in burp suit you would want to use your own custom word lists on the left here and also you want to based on names observed on the target site and derivation based on discovered items you want to see if you can find more stuff based on those items this is extremely useful also what burp will do is it will take anything that you found and see say for example if I have admin.php or something like that well is there an admin. SQL admin. zip admin doback and so on so we got this extra options that will help us test for more more stuff in an automated fashion and most of the time you won't find nothing but what if you did and many times we do so you find something for example called CS Pro all of some you have a visual studio project on your hands the developers deployed the application forgot to clean out the project files for example that could give you extremely valuable data so these are just good advice and ideas we should also remember that we can cheat if we can cheat we should we are working for our customer trying to provide the highest value possible so for example if our customer has swagger documentation or open API specifications we should ask for such specifications meaning that the developers and organization is basically handing us a recipe of every function every endpoint every input parameter that they expect the users to submit on they it will describe their API for example so you don't have to guess as much we should still keep on guessing with our content Discovery procedures but if the developers have this documentation in my honest opinion they should hand it to you so we can jump start our processes and make sure we don't miss out on anything it's all around a good idea and down here we have an example Swagger Json file that allows us to see that hey there's something called pet it accepts post put and get and the get parameter here the get method sorry takes in a find by status we can put in a pet identifier on this one all of this is extremely useful for us as pent testers so we can make sure that all of the functionality is Thoroughly tested in terms of finding unlink parameters we should try for every platform distinction to see if we can find more parameters that are not intended or not necessarily documented or referenced or linked by the application so we should try get post cookies and headers we might find that there are headers that could bypass authentication and so on we might find more attack surface if we don't do this we could be missing out that's why we like to go in and see what more we can find we love the tool or the extension par minor in fact we tend to love anything written by James Kettle or albino wax on Twitter anything he builds for burp suit he also works for burp suit however anything he builds seems to be of high relevance and high value so in this case we're using param Miner the extension to help us out discover more parameters and in this case for Rivers security. the website of my company we found m multiple secret inputs in the URLs and in the headers so we can see that based on this finding you can see that when we give it the X requested withth header we have a different number of words we have a different number of scripts we have a different content length than if we tried the header X requested width in a random string that means that this x requested width has some impact on the application it has a function when you provide that header something happens meaning heck we need to test it we need to figure out if there are vulnerabilities in it all right good there's also other cool things we can do during content Discovery before we move into fussing I want to give a shout out to some things we could do we could go to archive.org and we can look at the well their Archive of the internet and look like look at what a website looked like in the old days here we are looking at the sans.org website back in 2001 why would we do this well maybe some of this functionality maybe some of the old stuff is still enabled on the website old scripts old content it could be so the website has been through many iterations since then but it could be that some of the older stuff is still available and that old stuff well it could have earn abilities naturally we're not going to be able to go through the entire archive.org for domain and fetch out every single endpoint that's why we automate and we use scripts like way back URLs that will produce a list of all the endpoints that you could find on archive.org and Wayback robot. py which goes through the robot.txt file and gives you more end points that you can automate with the Intruder to see does this stuff still exists on the website you could get lucky all right next up we have fussing so content Discovery very important and there are more things to talk about in terms of content Discovery but I mean we only got about an hour for this talk okay fussing fussing we want to make sure that we can discover vulnerabilities not just by scanning it with a vulnerability scanner but we can actually discover what there is to find from a pentest knowledge not just some automation that somebody else built so for every script and input we should send that script and input meaning get parameters post parameters so on to the repeater and keep clicking control space and keep sending those messages after you change certain names and variables and values and so on explore the script see what you can learn why does this script intend to do so that when you start to hack it you have some ideas how it's meant to behave and how it currently is behaving when you give it special characters and attacks from wordless and so on once you have done this you then move into the fting phase you take the input and you should at minimum fuss every single character from z0 that means by0 0 all the way up to the byes FF so you need to go through how does the application or the input work when I give it an a a nine a n bite carish return a semicolon a tick a double quote parenthesis we go through 256 characters just to make sure what happens when I give it something different this fussing in Intruder gives you a nice little overview if and and some interesting feedback if data sanitization is in play or if the application just behaves erratically or differently Anonymous anomalous behavior when you give it certain special characters this is quite valuable because if we find any anomalies it means that you can now go ahead and explore say certain classes of vulnerabilities or see if you can build on that attack back maybe you find that say a tick makes the application redirect you back to login or a double code or something like that your job is to ask huh why what's going on here I didn't get an error message from the database or nothing I just got to redirect so you go back to the script with your fussing you take those interesting characters and you fuss again maybe use a word list maybe Ed the vulnerability scanner or maybe fuss again every bite z0 to FF see what happens when you give it a tick and then maybe a semicolon dash dash who knows you might be onto something here so we're trying to engage the pentesters brain and intelligence into trying to solve actual problems instead of willy-nilly trying to run some scanner so you find some anomalous responses that's when you use scanners and tools and so on uh or sorry when you find some anonimous responses you continue excuse me into building hypothesis Implement some attacks if you cannot figure it out if you cannot understand why the single tick why the double quote why whatever characters is producing anomalous responses you engage your team you ask somebody else maybe somebody with more experience hey Chris why does the application behave so weird when I give it these characters something up some vulnerability and so on that is pretty useful and the process has been lined up on the on on my left side here or maybe it's your right side but anyways on the side of the slide here you will see that I've lined up the process on how to think about going about doing such things when you fuss the bites what you do is really you set up a a fusser or an entry point you defined like the input to be numbers from0 0 to FF you prefix with a percentage so it becomes Ural encoded that URL encoding will make sure that your data passes through the middleware and lands inside of the application okay so that you you don't necessarily send a null bite because you might break something in between but you want the null bite to be encoded so that it lands in the actual application you're testing if you add a URL decode on the data which you can do in the payload processing part of burp suit if you add a URL decoder you will notice that hey you are now not necessar targeting just application you are also targeting things in between you and application maybe a load balancer a reverse proxy web application firewall there could be interesting stuff there as well so if it's in scope be my guest test all you want it is typically quite interesting and you will see that stuff on the network behaves weird when it receives certain characters like line feeds and so on all right I think we covered this slide for now uh important thing is when you're done with an endpoint or when you're done with say the application say what's your name is the application my name is input Chris so my name equals Chris right I fuss it and I don't find anything you should not just fuss it you should also fuss it with bicep I mean not just fuss it with Bice you should also use a word list based on your experience or based on the target type based on what the application does and also you should send that specific input what's my name name equals Chris that input should be sent to a vulnerability scanner to help you conclude to to support you so that just in case you missed out on something the vulnerability scanner gives you a second chance and if the reability scanner finds something we need to go back to our methodology and make sure that the next time we test we are able to find that vulnerability that we we are able to find what automation could find right we don't want to rely on just a scanner we want to make sure that the pentester has the tools and steps necessary to find such things on their own not relying on somebody else's scanner I hope that makes sense because it's quite important here are two examples so I've lined up some burp suit flow up here you set your payload positions you select the attack type and you got some cool sounding attack types in burp suit for example you got the sniper attack woo and what the sniper attack is really you go through one payload for all of the target position so say a word list or an attack for every position that you have defined you have the clustering bomb which means that you can Define multiple payloads and for each payload go through the rest of the payloads like a for Loop nested fur Loop so a four inside of a four nested four Loops is what the cluster bomb does we have the pitch work which allows you to Define multiple payload positions and multiple payloads and it will go through each one well each payload for each position at the same time so it's kind of like a pitchwood all of your payloads the the pitch workor has many different use cases but I will not talk about that in this talk I would rather do a dedicated talk on the burp suit and so on because there are certain examples with crust scripting and other things where this can become quite useful to test and then we have the battering ram which just simply takes a payad and ramps it into every position that you have defined so let's see here we have an example I have an application that when I send a request to it for something that shouldn't exist ASDF ASX the application replies with internal server error 500 is that what you expected for sure it wasn't what I expected I expected to see a 404 page not found anything that I put in the get up here anything that I triy to look up with an aspx extension just fell on his face crashed and burned 500 internal server error I wonder why that's the questions we need to ask what's up with that you know could there be a vulnerability here who knows we got a fuss we got a test so I Define my payload Precision inside of ASDF ASX maybe in front maybe in the back it's up to you so I have my Intruder my fusser I Define the payload and I fuss every bite from Z 0 all the way down to FF like this and I notice that some of the inputs that I give the script or I make the web server look up perc 25 26 down to tref here when I give it such inputs the application well behaves differently I get a different content length rather than 23 25 number of characters coming back number of bytes I only get 2179 again the question is why let's take a look at those URL encoded bytes 25 for example what is percent 25 that's a percentage when you decode it it is a percentage sign 26 % 2 a star 3 a colon greater than question mark less than and a plus those characters makes the web server behave differently H well let's build out some hypothesis and try to understand why if you cannot on your own engage your team members right the percentage and percent question mark and plus all belong to URL parsing URL so how a URL is defined percentage has to do with Ural encoding the ENT is to Del liit get parameters the question mark is to indicate that now is the beginning of input to application get parameters and so on and the plus represents a space so maybe those are okay but what about the others huh a star typically represents a wild card when we're talking about file handling and that's what we're looking at here right we're looking for a file so the web server can run content on it ASDF aspx did not exist but the star well it returns different Behavior interesting considering it has has to do with files the colon on NTFS represents which This Server is running off it's a Windows Server so it's likely going to be NTFS the colon represents alternating data streams H which means that a file can have other files inside of it check it out it's a pretty cool feature of NTFS and RFS the resilient file system anyways that's cool the greater than and the less than symbol indicate redirect operators where we can redirect into files or from files and so on so all of these inputs have something to do with files hence we need to employ tactics and techniques that help us find file based vulnerabilities you engage your team you engage your word list you engage your scanner and so on and you look to see if I can maybe read a local file from the system maybe you can read remote files from the internet maybe you can put things into other files maybe you can read say the web.config file who knows we need to explore here I have another example we're fussing for bytes z0 to FF and one of these bytes well causes a significant different reply not on the status code not on the time it took for the request but again on the bytes most of the other btes return 1101 this one here returns 1263 so you inspect the one with 1263 when you give it a backslash all of a sudden the server says h warning my SQL number of rows expected parameter one to be a result and it was given a Boolean strange we broke SQL meaning we have most likely SQL injection in this case and this is in fact SQL injection because it's from a CTF an online war game called overthe y.org that is overthe wire. and it has a large collection of War games one of them is called natas and it's all about web application security I totally recommend it so let's see why this camera is not following me anymore what's up with the camera hey don't chase my shadow see my hand and follow me please these cameras are stupid they embed all a imation and scripts to track me as I'm moving around but I like to teach with my hands so all of a sudden the camera gets a signal from my hands that says stop tracking sorry about that anyways I hope this makes sense to you and when you do this kind of fussing very thorough kind of fussing you will notice that there is a lot of rabbit holes and rabbit holes will take up a lot of your time I will cover rabbit holes soon but when you deal with rabbit holes and so on try to think that okam Racers principle among competing hypothesis the one with the Fest hypothesis is often correct The Simple Solution is often the correct solution so while you might be deep inside of a rabbit hole trying to find a some kind of super interesting zero day something super interesting that nobody has known about before it could just be a simple explanation to the problem so always explore those things first cool all right in order to avoid rabbit holes there are some tricks so what is a rabbit hole first it is something of Interest ooh shiny this could be a super interesting vulnerability except in order to research it it's going to take a long time and it could be a dead end it's going to be hard to research the vulnerability or the potential exploit condition So to avoid rabbit holes but still be able to conclude them what you should do is in my opinion anyways take a note of the rabbit hole let your team members help you on a rabbit hole while you prioritize with and make sure that you cover a solid Baseline of testing on all of the endpoints and inputs and then if and when you have time you go deep into the rabbit holes and you exhaust all of them making sure that there are none potential exploit conditions left and that might require a team effort okay also we should structure your work Scope when you're working on a web application you should consider splitting up each platform distinction distinction between multiple team members so that you can work together on a pent test all right you take the slel I'll take the slash all other things for example and consider how much duration you have on engagement how many hours you have spent on engagement and how much time you can spend exploring those rabbit holes without it being a loss for your company ideally you would explore all of the rabbit holes exhaust them completely but as you know our companies also need to make money so we can't spend necessarily two months researching something that looks interesting but could just end up with not being that valuable my two cents on that topic in terms of using word lists this is rather important you should be collecting word lists there's a bunch of them online that you can go look at se list for example on github.com Daniel meser SEC list lots of great word lists download them and guess what open them and study them a little bit what does this wordless try to do what's this kind of a string why does this try to attack a command injection try to build up some knowledge I would also note that asset note see what I did there they also have a word list. asset note. IO subdomain containing a large list of automatically generated word lists based on technology and many other things they are great help now the word list that we generate in in River security we make sure that we understand them and also that we flag them based on what type of data they contain in fact we have these pH and uee identifiers on the word lists where pH means that this word list expects or it has a placeholder maybe the word list needs a a domain like an external server interaction type of domain maybe it needs some kind of IP address or something that is indicated with the pH argument so that you can open up the word list before you use it and make sure that you replace the placeholder with actual values that will make the word list work and then we have the keyword uee which indicates if the word list is already URL encoded or not and uh based on your fussing results you will select your word list based on that what did the fussing tell you what is the likely scenarios and so on of course you could paint the application with every single word in every single word list app will take up a lot of bandd with time and effort so typically we want to single down our word list to what we believe might have the most impact here's an example where we have placeholders and we use the burp collaborator to where's the camera going all right I think we're good I'm just going to double check the stream here to make sure that it is actually good yeah it's following me it's okay I guess you can see me it's a bit dark in the room but I wanted you to see the slides as well slides will be online as well after this talk but many of the word list as I said they will require some kind of external server interaction for example so we want to replace the word list with a burp collaborator or if you want to use a free version interact. sh so that we can see if a word list makes the target behave differently say all of a sudden it makes a DNS request to us makes a HTTP request all of that stuff we we we must measure and burp collaborator is a tool that will listen for callbacks listen for that external server interaction so we go through the word list we use the string replace feature of burp suit and we replace it with our unique URL like you can see in the screenshot here we have found that our host name this random string that burp has given us received DNS requests from these IP addresses and then subsequently they received HTTP requests from these IP addresses what should you do then well you should feed them some content right if they're making an automated HTP request to you what happens if you feed them cross-side scripting bites of all kinds of sorts and so on it is a super interesting Avenue to explore for penetration testers you should also know how to build good word lists because you will not be able to just download wordless from everybody else you need to build your own in many cases so uh a friend of mine from UK outside of Bergen where I live Roy suag he has created a tool called cooler based on digas Robin Woods tool cool cool is a rubis script that generates word lists cooler is a python script that generates word lists and in my honest opinion cooler is a bit more up to date and better if you ask me there's also extensions like the Gap extension of burp suit and so on that will allow you to help build wordless space on your target there is wordless like the htb diso entries for Cisco top million there is eurl shorteners brute forcing results that you can look into wikis is a a great source of building word list so I got some scripts on GitHub that will take in data and produce wordless based of them but say for example I've noticed that my target is very obsessed with Disney characters or The Flintstones or asteroids bacteria whatever might be I got word lists for such cases and I will build those word lists for languages for specific domains within a country like Norwegian soccer team municipals and so on these are all word lists that are quite useful and when I'm building these word lists so here's Gap up here the plugin up here it will try to do it automatically for you it's decent it had some problems with it but it's decent what I like to do is I like to use the Linux L command line so I am on Windows but I just type bash and I via WSL the windows subsystem for Linux boom I'm on Linux beautiful I will grip for say anything starting with API dasco I will convert every uppercase character to lowercase I will sort and unique it and now redirect that output into a new word list for ap- c for example and so on so that is what I like to do now there is also plugins that will help you scan and these plugins we talked about but essentially after we are done with our fussing when we have defined input parameters for our fussing when we're done fussing them we should also send them to the vulnerability scanner right make sure that those input parameters get that second opinion so that we can hedge our bets to make sure that this application is safe and we talked about this quite a bit already but if the scanner finds stuff that you didn't find via your methodology reconsider training reconsider methodology reconsider your process so the next time you can find them without relying too much on automation another thing we do in our fussing before we move into the next part is reviewing our logs so the logger within the burp suit is now the native logger is now pretty good okay I used to use a an extension called logger Plus+ but as burp suit is improving the logger built in now is rather good so once we are done with a script we fussed it with hundreds of thousands of requests potentially what we then like to do is go into the logger sort by status code and at the very least filter on 500 error messages why did the application reply with these 500 error messages when I scanned it with the vulnerability scanner so I will see what the scanner is doing I will see the the parameters that the scanner sent in and so on and my job is to interpret why those inputs cause the application to crash on its face and provide an error and sometimes as you step through all the 500s you find something interesting and you go like ah looks like this input caused something interesting to happen a crash an aror or something and you can maybe then take that input and build on it change it and see what else you can find once we're done with the script I rightclick and I wipe out the logs so I now have a fresh log for the next script that I'm going to start with and that is rather quickly walking through the fussing methodology or the fussing part of the methodology and yes we could spend hours talking about it it is more in-depth and detailed but hopefully this gives you the right idea as how pentesters can start to provide higher value in their pentest engagements next step is hypothesises and test cases so hypothesises are important for the pentesters to consider they should look at the application and ask themselves hm based on my experience based on application what could be plausible attacks in this application for example Maybe the application allows me to reset someone else's password right I have a password reset form all right if I have a password reset form I mean fuss it by all means scan it by all means but you need to apply your knowledge and experience to ask yourselves maybe I can redirect the password email somehow the password recent email I've done that before yeah host header poisoning I managed to send in a host header belonging to a domain that I control when I sent a password re set email for somebody else's user I receive that email hijacking accounts essentially maybe the password reset email doesn't have high enough Randomness or entropy maybe we could guess other people's codes to the passor reset process for example maybe we can predict some values or values as it says on a slide or typo the predictable values who knows maybe this application here that you're targeting you suspect that the input that you give it is being passed down to other applications other maybe it's written to some database and then read by somebody else well maybe that means that you need to do extensive Cress scripting testing maybe you're allowed to to put Javascript somewhere and as long as that JavaScript makes an external server interaction with your machine somewhere else you can learn that my JavaScript would actually well run somewhere else at a later time that could very well be maybe in a logging application or something like that your data your attacks gets logged admin logs onto the logger two two days later clicks the logs boom sees your JavaScript executes it and hey you won maybe there's delays when you do certain actions all of a sudden when you click the button all of a sudden the application it just loads for a couple of extra seconds your job is to ask hm why wonder what's going on here do they do any like side requests do they do any processes on an operting system why did it take so much longer and then you try to build out test cases that will help you test more scenarios maybe there is a state machine within the application which most applications do have state could we influence the state somehow with race conditions James Kettle again has just recently on black hat with the deathcon announced some really awesome research in terms of race conditions they have up updated burp suit to enable better and quicker testing of R conditions and so on so that is just some examples of things we should test but really important don't do this just on your own pick it back on your team set yourself up with a five minute standup meeting say hey I got this application it does this so and so and so I have these bites that are interesting I have these interesting functions over here and here and anybody got some clever ideas anything we can do together to make sure that we can properly understand the vulnerabilities of this application so utilize your team make sure that you can work together and try to properly work out the hypothesis explain them well and if you can't do it on your own use the team so sourcing rabbit holes your team members also we talked about and essentially ask for help that's what I really really want to stress here then we're moving into our final parts of this presentation business process and logic flaws all right business processes let's take a look at the logic of the application what is it doing what's the purpose of this application can we maybe make it break from a logical or business perspective right think about it not just from a technical perspective but what does this application really do so maybe we can produce some test cases like maybe we can break into other tenants by say abusing some kind of feature some kind of function maybe we can find process flow breaks if we say maybe we need to go through step one step two step three to buy a product from the from the web application maybe we can put something in our cart update the card maybe we can check out add our payment details and so on well what happens if you update the card remove the cart go to payment go back to the cart add something does something break does it work maybe you add things to your card you add one item to the card you go to the checkout but then you ought to add maybe in a race condition 100 items to your cart at the same time you do a checkout does that allow you to pay for one item but receive 100 items such questions are important to ask ourselves and see can we test for them maybe if there are files being uploaded maybe these files can contain malware is any antimalware on the server will they allow you to upload say an iar file will you be able to upload Powershell scripts source code can you overwrite the target web servers web.config file or any say config file all of a sudden you might have an opportunity to hijack the entire server and it's important for us to well take a bird side perspective on application and consider such scenarios before we end our engagements here's also a quickie on authentication because very often we need to do the test as just a regular user or in some cases also unauthenticated right but you know there is an admin account somewhere and they don't necessarily want you to use the admin user when your pem test application because the admin has all kinds of features that are just inherently insecure maybe you can write stuff to the website and whoops there's a cross scripting exploit maybe you can say change files say on WordPress you can add and edit PHP files so that's like a instant remote code execution so they don't necessarily give you the the admin account you get a normal account but what I do every time for my customers is that I tell them hey I will pentest as a normal user but I want you to give me an admin account so that I can do content Discovery crawling and spidering I need to map out everything all all the features I need so as an admin I can find most of the features and I can then test all of those features as a less privileged user and also from an unauthenticated point of view that is extremely useful because what if there's a privilege escalation vulnerability what if there's broken object level broken function level AIS uh or or weaknesses in application what if some parts of the admin panel can be accessed without any credentials well you need to know that those features exist first of all that's why we map from admin we test from regular user and also make sure that all the end points and functions are not accessible from an unauthenticated point of view if they are make sure that you test them thoroughly so there's also some good ideas on making flowcharts essentially draw. iio or diagrams. net are free applications that allows you to draw out flowcharts like these for example example mapping out flow of say authentication or behavior or process of the application is extremely useful for you to get a better grasp on how to attack this application so there are lots of flows that when you put them on a flowchart or inside of a little diagram you can much easier realize where the different test cases are the different hypothesis that you should explore say purchasing flows Authentication ver Nation privilege escalation flows passor recet flows these things are so much easier to understand when we map them out then we have Frameworks and this is rather interesting there is a lot of Frameworks out there many whom I'm sorry to say they suck they are old no longer updated they started out as a great idea however they should not be used for pentesting web applic ations because they are horrible many of them try to conclude you need to test all these things all of this stuff SQL injection test for command injection test for local file inclusion test for serice request fory and they don't allow the pen tester to test outside of say vulnerabilities you don't necessarily know about so Frameworks can be challenging if you use them not as a guide but if you follow them step by step however Frameworks can be useful when they are a supplement to your pentest methodology and there are different Frameworks out there and the framework that I will talk about is so I want to do first an honorable mention to oasp and application security verification guidelines those are really good for pentesters to study and some customers will ask you hey we need an ASV uh an application security verification guide test on say level one or level two on our application and you will support them in doing so sure taking checkboxes that's not bad it is not really the worst but it is not enough what we do at River security is that we have what we call minimum viable pen test methodologies so for any technology that we test say if it's a 403 or 43 uh 401 403 unauthorized header we get back so we're not authenticated we have a methodology for that for apis we have a methodology for that for asp.net web application firewall evation we have a methodology for that OD zero authentication for web application proprietary technology for generic functionality we document and document based on the experience we buil and the minimum viable methodologies here these MVPs are essentially this is the the absolute minimum you need to do when you're testing the application based on previous experience that way we don't always have to start fresh on Google stack Overflow hack tricks XYZ and so on we can start with knowledge that we have built ourselves say testing WordPress right you got to do a pen pent test on WordPress is it really useful for you to test the WordPress engine the source code of Wordpress that runs the entire blog hopefully automatic the people behind WordPress do their own pen testing and hopefully there's tons of other eyes on the project so the vulnerabilities in the core are being vetted and found over time all right I don't think your customer wants to spend a lot of money of you testing tens of thousands of lines of code of the WordPress engine yes I found WordPress engine vulnerabilities before it's not like they don't exist I've had bug Bounty pay out for from automatic on WordPress regardless that is most likely out of scope what would an MVP describe though an MVP would describe that on WordPress it is imperative that you check plugins and extensions to Wordpress you must enumerate themes and plugins so that you can test and see if they are vertible weak and so on the moment WordPress contains custom functionality we start to drool a little bit and it goes wo super interesting you know also we need to engage with the WordPress API we need to ask for all media file uploads we need to ask for all users that are on the system and we need to thoroughly explore the WordPress that's what we would Define in such an MVP these are the steps that based on our previous experience we require every other pentester to do this is very useful because say for example I did an sap P test sap and I document the MVP based on my knowledge that I've learned my research and so on by deploying technology before I go on a pentest I can research from a from a cural box perspective maybe I can run some Docker containers some virtualization I can experiment build up some attack techniques I document that so next time we have an sap pentest I don't necessarily have to do it my co-workers can do it probably just as good as I did because they can learn on what I did and they can do it on their own with with their own knowledge and own experience okay so it's a nice way to share information and so on with the team we want to make the pesters accountable to at least check the things that need to be checked on that specific Tech and also ask the team to help build out such MVPs when they are not already built ideally we would want to have a day or two before we work on a pentest to carefully look at their technology and set up the stacks ourselves so we can build an MVP before we start pening on something that we don't know some other things to consider so sorry this is also in regards of the MVPs we got techn technology specific and application specific MVPs so we want to make sure that we test the entire stack we want to test the middleware we want to test the web server most of the time we're concerned about testing the managed code that's good but we also might have backends involved and we want to have MVPs for as much as possible so that we find the interesting vulnerabilities say if the web server is running on IIs for example Microsoft's web server those web servers are by default in most deployments runable to something called I shortname scanning and if you didn't know this well you should have known it and we have an an MVP that says that if you target an i web server you at minimum must check out IAS short names it's important and then for application specific say for example I'm testing craft CMS there are lots of debug options in craft that you should explore if they're there there are several log files and word list that are extremely useful when testing craft for example an arc gist there are ways to discover if there's points of interest or M sensitive map data that could be exposed without the custom customer necessarily knowing and so on so we need to build out these things and in terms of testing Frameworks I would shout out again to asvs it is a nice guideline just don't use this as your entire kind of Playbook and when you don't have the MVP we create we create one it is minimum viable it doesn't mean that it's the only thing you do but at minimum we need to do this so you start building you set it up you break and hack it configure it so that you can get some experience before moving into your customers deployments and start to hack their applications we do this all the time my cooworker Vega principal pentester he has all kinds of applications running that represents different application Tex stacks and so on so that he can explore them from a crystal Bo perspective and he finds vulnerabilities all the time because of it so that is really good and nice maybe even you get some experience for example I needed to explore Azure functions functions in Azure because um my customer had several of them deployed and I had no idea what I was doing so what did I do I set up my own Azure function I configured it I deployed my code I intentionally made it Vernal and I saw that I could break it and then we did something nice we released it to the community in form of a capture the flag so that other people could also learn how some of these functions could get broken into and then finally we get to the tools and we're nearly done with this talk now tools well depends on what you have depends on what your target there are so many different tools and the tools you use will be based upon whatever you're trying to hack you might use I shortname scan so this will abuse the IAS runability that I was talking about where we can Bru Force the six characters of uh a file and the first three characters of an extension so for example here we're brute forcing in inside of the folder of metadata card we find that there's a file called metad till the one and meta till the one has an extension do zip so in this case I want to discover whatever that till the one is these are short names and it's a feature of of Windows that enables you to represent files with short names I need to find that file that zip file is incredibly juicy looking and in my case it was just metadata card. zip so yeah we found that file with no previous knowledge we brute first every character from a b c d we found something on M then we went into a m a m c m d MF and so on skipping parts of the alphabet there I heard but still we found me me and so on beautiful and that tool is for IAS so it depends here we are using a tool that I will soon release a version on on GitHub but we have have a WordPress scanner we go through all of the WordPress information and see can we find something interesting in this case the script returns users and it returns uh media uploads on rivers. and sure enough down here we have a media file upload called secret. dxt and of course you don't want to miss out on them on that I got some research on this topic coming up hopefully within October November perhaps December I'll have published a nice tool and also lots of research on WordPress and how horribly insecure it can be if you don't know what you're doing there is the tool for pretty much everything whether you like to use nto NL SQL map doesn't really matter collaborate with your team have a repository and a knowledge base of nice tools to use in different scenarios maybe you're targeting Magento so you use Mage scan maybe you're targeting ajacent web token so you use maybe JWT tool it depends and the tool comes last right or maybe you could applo employ the tool sooner but it's not the most important thing important to know the most important thing is that the pentesters do their best hacking not whatever tools they decide to run and that ladies and gentlemen was my talk alone here in a room in Brussels where I teach from 9 to 5 5:30 had a Hamburg Burger recorded a YouTube video that I'm putting up online tomorrow and then a couple of hours later had a beer and I decided to do this talk for you as well I hope you liked it I will make sure that the slides are up here on into bio christale you're welcome to add me on LinkedIn follow me on Twitter or whatever and connect with me I enjoy having people not being strangers so come say hi whatever it is check out my company I'm very proud of it and so on so yeah it's been real thank you for listening I hope you stayed entire duration I know it was a long one sayanora