Playbook: web applications

Note: Run Burpsuite or another proxy in the background during all of this activity.

The Basement

• Is the website encrypted (HTTPS)?

• SSL/TLS encryption version, algorithms, key length. testssl or sslscan is good for this

• Check for outdated web server software (Adobe, Tomcat, etc) - nitko can help

• Check for outdated ASP.net etc libraries

• Run Nikto or another web vulnerability scanner just to find low-hanging fruit

• Check for DNS information with https://dnsdumpster.com/

Authentication

• Try to sign up for a new account.

• Click through the "Forgot my password" process.

  • See if there's any path that's guessable, like security questions

• 2FA: If 2FA requires a 4 digit code or similar, it may be possible to brute-force.

File Discovery

• Run gobuster, dirbuster, feroxbuster, etc to discover directories and files

• Look through Google or other search engine results for files "hidden in plain sight"

• Check for a robots.txt file for unpublished pages

Putting stuff on the website

• Look for user-provided input like search bars, contact forms

• Look for paths to upload files. Tips: https://kathan19.gitbook.io/howtohunt/file-upload-bypass/file_upload

  • If they're restricted, try renaming extensions, passing client-side checks, or making other changes

User access (you have a set of credentials)

• Log in, look around

• Look for unauthorized direct access via Autorize (a plugin for Burp)

Flaws to look for:

• OWASP Top Ten is the fundamental guidebook on the most common vulnerabilities to look for.

• XSS (Cross Site Scripting)

• IDOR (Insecure Direct Object)

• CSRF (Cross Site Request Forgery)

Additional references:

Web Page Code Review TipsHowToHunt

HowToHunt/Web_Checklist_by_Chintan_Gurjar.pdf at master · KathanP19/HowToHuntGitHub

Web Application Pentesting ChecklistHowToHunt