Words You Can Use In Reports for Webapp Tests
Web Application Penetration Test
The target for this assessment was the web application at TODO_STARTING_URL.
SCREENSHOT OF LANDING PAGE HERE
Caption: Landing Page for Target Application
Mapping the Application
With Burp Suite set as a proxy to record the traffic, the tester explored the application manually, as a normal user would, in order to understand how the application was built and what functionality it exposed. This step helps the tester become familiar with the application and identify areas of higher risk so that the rest of the work can be prioritized based on risk.
Infrastructure Configuration
The tester used the Qualys SSL Server Test to gather details of the servers’ TLS configurations.
TODO - screenshots (make sure they include the hostname and IP and timestamp) and narrative
The tester used Nmap to scan the server for open ports and services to determine what might be running other than the web server itself.
nmap -sV -sC -p- -oA TODO_OUTPUT_FILENAME -v --resolve-all TODO_FQDN_HERE
Nmap Command
The tester used Nikto to scan for weak configurations and known-vulnerable components. TODO sample Nikto command below.
The command will run against the target, create an output HTML named with the target information, and create a “savedir” (also named based on target) that will have the full request/response (JSON) for any findings. If needed, the request from the JSON can be replayed using the replay.pl program (with proxy support to capture it in Burp).
During the scan, status can be seen by pressing the space bar, verbose mode enabled/disabled by pressing v, or debug mode enabled/disabled by pressing d
Nikto Command
./nikto.pl -h https://example.com/ -o . -S . -F htm
TODO - summarize what Nikto found or didn’t find.
Authentication and Session Management
BHIS investigated the strength of the application’s authentication and session management implementations.
TODO - describe how sessions are created, whether MFA is in use and required. Identify the session cookie or other place where the authentication token is stored and transmitted. Check set-cookie responses for secure and HttpOnly and SameSite parameters. Assess the unpredictability of the session token. Try to decode it or otherwise identify information in it. Quantify session timeout behavior.
The testers searched for a method of identifying valid usernames in the login process, the account recovery system, or the self-registration system. TODO-make sure those all exist: delete mention of whatever doesn’t.
Client-Side Technologies and Storage
TODO - look at the storage tab in your browser’s Developer Tools. Take a screenshot of what’s there. Make sense of what’s there and whether any of it poses a risk.
TODO - Look at JS in the client. Identify any client-side JS frameworks in use (look at the “Lighthouse” tab in Chrome dev tools) and look for any publicly-known vulns or misconfigurations.
TODO - If you use Wappalyzer, be sure to include screenshots from Burp (or curl or whatever) to confirm what Wappalyzer tells you and to give the location of anything Wappalyzer complains about, so a reader knows where to go to fix it.
Application-Specific Testing
Having established a clear understanding of the application, its components, and its infrastructure, the tester continued by investigating the application’s functionality.