[ mapping functionality and content ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Serundeng Sapi - Web Application Security ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [###]WEB SPIDERING: > Burp, WebScarab, Nikto, etc. > /robots.txt > Links on js code > Forms > Tokens within the URL [!] user-directed spidering: slower but often better [!] hidden files: > logs > omments > source code before compiled > configuration and include files > old versions of files > default functionality > backup archives > naming schemes : .txt|.bak|.src|.inc|.old|.java|.cs|.php~1(temporary file)|.tmp|.jsp [!] brute force: > BURP Intruder [!] auth functions: login,logout,register,profile [!] public info: > search engines (Google Hacking, NetCraft, Whois Registries, etc.) > web archives : www.archive.org > search developers and emails ( Linkedin, Forums, etc.), social engineering attacks [!] nikto uses large database of common web application software and scripts. example: search in /cgi-bin, via: nikto -root /cgi-bin/ (or -cgidirs) [!] third-party software: like CMS, shopping carts, forums, etc. [!] locate file path and functional path: /admin.jsp?action=edituser use inference [!] hidden parameters example: debug=true (information disclosure, bad error handling...) more examples to try: test, hide, source.. with values 1,yes,true,on... use BURP: CLUSTER BOMB attack with custom lists [###] USER INPUT ENTRY POINTS : [*] rest-style urls. [*] request params [*] http headers (referer,user-agent (in the log usually)) [*] look for out-of-band channels : > Webmail > Smtp > Contents from other servers via HTTP > IDS,API interfaces non-browser (mobile devices) [###] SERVER-SIDE TECH : [*] banner grabbing: Server response header, templates... [+] httprecon: fingerprint webserver's software [+] file extensions: [+] .asp,.aspx > Microsoft [+] .jsp > Java [+] .cfm > ColdFusion [+] .php > PHP [+] .d2w > websphere [+] .pl > Perl [+] .py > Python [+] .dll > compiled native code [+] .nsf,.ntf > Lotus Domino [###] calling non-existent files with the server's software extension, commonly customized errors [!] directory names : [+] servlet > Java [+] cfdocs,cfide > ColdFusion [+] pls > oracle [+] webobjects > apple(woa) [+] rails > ruby [+] etc. [!] session-tokens: [+] JSESSIONID > java [+] ASPSESSIONID > iis server [+] ASP.NET_SessionId > asp.net [+] CFID/CFTOKEN > coldFusion [+] PHPSESSID > PHP [!] httprint or other automatization tool [###] SERVER-SIDE FUNCTIONALITY: sql,path traversal, emailing... [+] client-side validation not replicated on the server [+] database interaction: SQL injection [+] file uploading and downloading: stored XSS and path traversal vulns [+] Display user supplied data: reflected XSS [+] Dynamic Redirects: Header injection [+] Social Networking features [+] Login: username enumeration, weak passwords, brute-force [+] multistage login: logic flaws like open-fail flaws. [+] session state: tokens [+] access controls: privelege escalation vertical and horizontal [+] user impersonation functions [+] cleartext communications: session hijacking,capture of credentials... [+] off-site links: leakage of query string params in referer header [+] interfaces to external systems: shortcuts.. [+] error messages: information disclosure [+] email interaction:os injection, smtp injection [+] native code components: buffer overflows [+] third-party applications components: known vulns [+] ident web-server software: common configuration weaknesses, default credentials, known bugs. www.osvdb.org