Web Application/API Penetration Test
IMPORTANT:
This section describes the SOW item called “Web Application Penetration Test.” It is not what we do for any other kind of test where we may happen to investigate a webapp. This is more comprehensive. Those are more opportunistic.
If you use a webapp on another kind of test in order to further the goals of that other test, it is CRITICAL that you clearly state in the report that you did NOT do a full webapp pentest. Use the words from the “External Network Penetration Test” description in any SOW as a guide to say something like this:
The tester used this webapp as a means to an end in the context of a larger effort. The tester made no attempt to investigate this particular web application comprehensively or in any way beyond the specific steps illustrated here. BHIS recommends a dedicated Web Application Penetration Test if {{ Customer }} would like a more comprehensive investigation of the risks this web application may pose.”
See Also: “Web App Pentests” from Section 2 of John Strand’s Introduction to Pentesting course.
Now let’s get on with it
The objective of the Web Application/API Penetration Test is to assess the infrastructure, application logic, business logic, and other components for material flaws that might expose the application, protected data, or users to attack. Applications are tested from both an unauthenticated and authenticated context. Where applicable, privilege separation is tested both horizontally (data segmentation) and vertically (privilege escalation). Web Application and API testing is informed by the Open Web Application Security Project (OWASP) guidance.
API testing may require additional information from the customer (Swagger documentation, test harness, sample transactions) and the use of additional tools that target API interaction. However, the mechanics of testing are largely the same once valid requests have been generated.
This engagement typically includes the following elements, although this is not an exhaustive list:
title: System Infrastructure Scanning
The infrastructure that underpins the target application should be subjected to various vulnerability and port scans to ensure that only the required ports, protocols, and services are exposed. Any excess exposure should be documented in the report and exploitation should be attempted, where applicable.title: Cryptographic Configuration Analysis
The cryptographic configuration of a web server plays a critical role in securing information in transit between the browser and the target application. Protocols, cipher suites, hashing algorithms, and certificate details should be enumerated and scrutinized to identify material weaknesses. This is especially important in the context of regulation such as PCI-DSS where support for deprecated protocols violates requirements of the industry.title: HTTP Header Analysis
Security related HTTP headers can be used to control features of the visiting user’s browser, bolster the security of the application, and minimize the effectiveness of attacks. Security headers should be evaluated at multiple points in the application and with the context of a given transaction in mind to provide an accurate picture of the effectiveness of implemented protections.title: Application Component Analysis
Modern web applications often take advantage of application frameworks and third-party components to standardize implementation and increase productivity. Adoption of third-party components comes with risk that those components introduce vulnerabilities into the consuming application. Third party components should be enumerated, vulnerability analysis should be performed on those components, and exploitation should be attempted, where applicable.title: Authentication Controls Analysis
Authentication is often the first line of defense for most applications. Attackers unable to gain authenticated access to the application typically face a significantly reduced attack surface. Elements of this activity include:
+ Username enumeration – Determine whether server responses can be used to distinguish invalid usernames from valid ones.
+ Single use tokens – Password reset and registration functionality should be evaluated to ensure that password reset tokens are single use and limited duration.
+ Password Policy Strength – Details regarding the various password policies implemented by the application should be evaluated. Technical implementation of the policies should be tested to ensure that the policy is enforced on the server side.
+ Password Change Mechanism – The password reset feature should enforce the implemented password policy and validate the identity of the requesting user (current password required).
+ Account Lockout Controls and Rate Limiting – The application should be evaluated for the presence of account lockout controls or authentication rate limiting intended to diminish the effectiveness of password guessing attacks.
+ Single Sign-On Workflow Analysis – Where SSO authentication providers are used, the SSO workflow should be evaluated for material weaknesses.
+ Multi-Factor Authentication – Where sensitive data and direct internet exposure is involved, the application should be checked for Multi-Factor Authentication support.title: Session Management Analysis
Since the HTTP protocol is stateless, applications implement session handling mechanisms to associated a given request to an authenticated user. Typically, this is accomplished by passing a token in the form of an HTTP header or cookie. The process of session handling analysis involves the following steps, at a minimum:
+ Token Determination -An authenticated HTTP transaction is repeated to the server to identify the minimum set of cookies required to maintain authenticated session state. Individual cookies are eliminated from the authenticated request and the response is checked for an artifact indicating authenticated access (like a username).
+ Token Analysis – Attempts should be made to decode the token to determine its structure and composition. The duration of the token should be determined, and excessive duration should be documented in the report. Token strength should be evaluated using Burp sequencer to determine whether session fixation might be possible. Results from the above, if any, should be used to formulate attacks.
+ Token Attacks – Based on the results of token analysis, attacks are executed against the application by manipulating the token. This could be used to assume another user’s identity or escalate privileges within the application.
+ Token Replacement – The token used to maintain authenticated session state should be replaced after sensitive transactions like completion of a log-on sequence, changing a password, etc.
+ Session Termination – The log off functionality of the application should be used, and a previously authenticated transaction should be replayed to ensure that the session is properly terminated on the server side.title: Input Tampering
Web applications are typically designed to accept some form of input from users. Depending on the manner in which the input is handled, malicious input can lead to various forms of application manipulation to include HTML injection, script injection, command injection, and data or persistence layer injection (SQL, NoSQL, etc).
Successful execution of input tampering may cause the application to crash, result in user session compromise, lead to sensitive information disclosure, or compromise of the underlying operating system of the application server.
Tampering typically involves submission of large positive and negative numbers, boundary values (like zero), long strings, or injection content to elicit a response from the server that might indicate vulnerability.
All inputs to the server should be considered for potential tampering. Typical inputs to consider includes files, cookies, user agent strings, form input, query string values, and any other input the application may be processing.title: Vertical Privilege Separation Attacks
Applications with multiple privilege levels should perform authorization checks prior to allowing a user to access restricted functionality. Sometimes developers assume that trimming a menu item is sufficient to prevent a user from accessing and executing functionality not meant for a user's given privilege level.
During testing, the tester is typically provided two sets of credentials at each privilege level. Comparative analysis should be performed to identify content restricted at lower privilege levels. Then manual or automated checks can be used to identify features that lack sufficient function-level access control enforcement.title: Horizontal Privilege Separation Checks
Applications with multiple privilege levels should perform authorization checks prior to allowing a user to access restricted functionality. Sometimes developers assume that trimming a menu item is sufficient to prevent a user from accessing and executing functionality not meant for a user's given privilege level.
During testing, the tester is typically provided two sets of credentials at each privilege level. Comparative analysis should be performed to identify content restricted at lower privilege levels. Then manual or automated checks can be used to identify features that lack sufficient function-level access control enforcement.title: Identifier Enumeration
Applications often use various identifiers to retrieve content associated with a given record or file. Many times, the identifiers used by the application include integers or strings that have an obvious pattern. Each enumerable identifier type should be tested to determine whether inappropriate content can be retrieved. Testing can include sequential or random identifier manipulation. Successul retrieval often indicates insufficient function-level access control checks or insecure direct object references.title: Automated Web Application Scanning
Comprehensive manual testing is often difficult to accomplish within the short timeframe alloted for testing. As a result, scanning is conducted in conjunction with manual testing activity. However, general purpose scanners like Nessus and Nmap are not well suited for web application testing. Instead, a custom web application scanner like HCL AppScan or the Burp Suite active scanner are used to augment tester activity and expedite vulnerability discovery.title: Content Discovery
Dictionary-based content discovery is performed to attempt to identify content or functionality that is present in the web application but unlinked to any of the authorized application pages.