Skip to content

Web App Pentesting Methodology

Information Gathering

  • Conduct Search Engine Discovery Reconnaissance for Information Leakage WSTG-INFO-01
    • Google Dorking
    • GitHub Searching
  • Fingerprint Web Server WSTG-INFO-02
    • Banner grabbing
    • whatweb, builtwith, etc. Make a note of technologies in use.
    • Try sending malformed requests
  • Review Webserver Metafiles for Information Leakage WSTG-INFO-03
    • Robots.txt
    • Check meta tags
    • Sitemaps?
    • Are there any .well-known files?
    • humans.txt
  • Enumerate Applications on Webserver WSTG-INFO-04
    • Non-standard URLs
    • Non-standard ports
    • Virtual hosts
  • Review Web Page Content for Information Leakage WSTG-INFO-05
  • Identify Application Entry Points WSTG-INFO-06
    • Happy path!!
    • Look for parameters in query strings and POST bodies
    • Look out for anything that seems different, odd, or custom.
  • Map Execution Paths Through Application WSTG-INFO-07
    • Spidering
  • Fingerprint Web Application Framework WSTG-INFO-08
    • X-Powered-By
    • Cookies
    • HTML source code
    • Directory busting
    • Search for specific file extensions in use
  • Fingerprint Web Application WSTG-INFO-09
  • Map Application Architecture WSTG-INFO-10
    • Web server
    • Platform-as-a-Service
    • Serverless
      • AWS Lambda
      • Azure
    • Microservices
    • Static storage
      • S3
      • Azure blob
    • Databases in use
    • Authentication
    • Third-party services and APIs
    • Network components - load balancer, CDN
    • WAF, IDS, IPS

Configuration and Deployment Management Testing

  • Test Network Infrastructure Configuration WSTG-CONF-01
    • Review any configurations
    • Check framework and system version information to identify vulns.
  • Test Application Platform Configuration WSTG-CONF-02
    • Sample and known file directories
    • Review comments
    • Benchmarks
  • Test File Extensions Handling for Sensitive Information WSTG-CONF-03
    • Check with different file extensions to see how they're handled
    • Specifically look for .asa , .inc, .config files
    • Look for old, archive, office docs, txt files, etc.
  • Review Old Backup and Unreferenced Files for Sensitive Information WSTG-CONF-04
    • Try appending .old and .bak to any files you find
    • Fuzz using old/backup extensions
  • Enumerate Infrastructure and Application Admin Interfaces WSTG-CONF-05
    • Google Dorking
    • Check comments, cookies, etc. for any indications
    • Look for parameter tampering
  • Test HTTP Methods WSTG-CONF-06
  • Test HTTP Strict Transport Security WSTG-CONF-07
  • Test RIA Cross Domain Policy WSTG-CONF-08
  • Test File Permission WSTG-CONF-09
  • Test for Subdomain Takeover WSTG-CONF-10
  • Test Cloud Storage WSTG-CONF-11
    • Check for anonymous access
    • Use any AWS, Azure, GCP tricks to extract information
  • Testing for Content Security Policy WSTG-CONF-12
  • Test Path Confusion WSTG-CONF-13
    • Replace all existing paths with paths that don't exist and observe the server's behavior
  • Test Other HTTP Security Header Misconfigurations WSTG-CONF-14
    • Carefully review all security headers, including:
      • Empty values
      • Invalid names or typos
      • Overly permissive headers, e.g., *
      • Duplicate headers
      • Legacy or deprecated headers
      • Invalid placement
      • META tag handling mistakes

Identity Management Testing

  • Test Role Definitions WSTG-IDNT-01
    • If not given, try fuzzing for all possible roles
    • Check for parameter tampering
    • Autorize
  • Test User Registration Process WSTG-IDNT-02
    • Can anyone just register an account?
    • Figure out how registrations are vetted
    • Can the same person register multiple times
    • Can users register for different roles or permissions?
    • What proof of identity is required?
    • Are registered identities verified? How?
  • Test Account Provisioning Process WSTG-IDNT-03
    • Verify which accounts can provision other accounts. What levels/permissions?
    • Is there any verification required for provisioning/de-provisioning?
    • Can an admin provision other admins?
    • Can an admin or other user provision accounts with higher permissions?
    • Can an admin de-provision themselves?
    • How are files or resources owned by the de-provisioned user handled? Deleted? Access transferred?
  • Testing for Account Enumeration and Guessable User Account WSTG-IDNT-04
    • Check for disparities between responses
    • Check anywhere user id is provided/all login forms
  • Testing for Weak or Unenforced Username Policy WSTG-IDNT-05
    • Determine the structure of account names
    • Evaluate the responses to valid and invalid account names

Authentication Testing

  • Testing for Credentials Transported over an Encrypted Channel WSTG-ATHN-01
    • Check in the browser - look at URL bar/lock status
    • Watch the network tab
    • Wireshark
  • Testing for Default Credentials WSTG-ATHN-02
    • Use DBs of default passwords to check against
  • Testing for Weak Lock Out Mechanism WSTG-ATHN-03
    • Can you still log in after 20+ invalid logon attempts?
  • Testing for Bypassing Authentication Schema WSTG-ATHN-04
    • Forced browsing
    • Parameter modification
    • Session ID prediction
    • SQLi
  • Testing for Vulnerable Remember Password WSTG-ATHN-05
    • Is the password stored anywhere on the client-side?
    • Check tokens for expiration
  • Testing for Browser Cache Weaknesses WSTG-ATHN-06
    • Does the application store any sensitive information on the client-side?
    • Can we access without authorization?
  • Testing for Weak Authentication Methods WSTG-ATHN-07
    • What characters are permitted or required? Complexity enforced?
    • How often can a user change the password?
      • Is there a cooling off period? Can the user change the password several times in a row to effectively have the same password?
      • Is there anything that prevents using the username as a password?
      • Can we set weak or common passwords?
  • Testing for Weak Security Question Answer WSTG-ATHN-08
    • Try to obtain a list of security questions
    • Is there any lockout mechanism in place for wrong answers to security questions?
  • Testing for Weak Password Change or Reset Functionalities WSTG-ATHN-09
    • Does the application validate the user?
    • Is the current password required to change it?
    • Are forgot password tokens sufficiently random/encrypted?
      • Only good once
      • Limited time -- how long?
  • Testing for Weaker Authentication in Alternative Channel WSTG-ATHN-10
    • Are multiple channels available?
    • Are the channels used for different things? What does each allow you to do?
  • Testing Multi-Factor Authentication (MFA) WSTG-ATHN-11
    • If present, can it be brute forced?
    • Can you skip the MFA verification -- force browse away from the verification page?

Authorization Testing

  • Testing Directory Traversal File Include WSTG-ATHZ-01
    • Look for injection points, something like /?file=test.txt
    • Images are good for this
    • Fuzz for files based on OS
  • Testing for Bypassing Authorization Schema WSTG-ATHZ-02
    • Is it possible to access a resource unauthenticated?
    • Can we access after logout?
    • Horizontal and vertical privilege escalation
  • Testing for Privilege Escalation WSTG-ATHZ-03
    • Check every insertion point, e.g., any place a user can affect information in a database
    • Manipluate:
      • Condition values
      • IP address
      • Autorize
  • Testing for Insecure Direct Object References WSTG-ATHZ-04
    • BOLA - Can I see things I shouldn’t?
    • BFLA - Can I do things I shouldn’t be able to do?
  • Testing for OAuth Weaknesses WSTG-ATHZ-05
    • Deprecated grant types, e.g., implicit grant flow

Session Management Testing

  • Testing for Session Management Schema WSTG-SESS-01
  • Testing for Cookies Attributes WSTG-SESS-02
    • HttpOnly
    • Secure
    • Path
    • Domain
  • Testing for Session Fixation WSTG-SESS-03
    • Are cookies updated after login?
  • Testing for Exposed Session Variables WSTG-SESS-04
  • Testing for Cross Site Request Forgery WSTG-SESS-05
    • Relevant action
    • Cookie-based auth
    • No unpredictable parameters
  • Testing for Logout Functionality WSTG-SESS-06
    • Does logoff terminate the session?
      • Can we replay a request after logout?
  • Testing Session Timeout WSTG-SESS-07
    • Does the application terminate inactive sessions?
    • Does it redirect to a non-sensitive page?
  • Testing for Session Puzzling WSTG-SESS-08
  • Testing for Session Hijacking WSTG-SESS-09
  • Testing JSON Web Tokens WSTG-SESS-10
  • Testing for Concurrent Sessions WSTG-SESS-11
    • Multiple tabs
    • Multiple devices
    • Does logging in on one log out of the other?
    • What happens when you try to edit the same data in different sessions?

Input Validation Testing

Testing for Error Handling

  • Testing for Improper Error Handling WSTG-ERRH-01
    • Request non-existent resources
    • Request folders that exist and check the server response
    • Try sending a very large path
    • Change the HTTP version
    • Try sending malformed requests
    • Try sending invalid/duplicate headers
    • Try intercepting then dropping a request
  • Testing for Stack Traces WSTG-ERRH-02

Testing for Weak Cryptography

Business Logic Testing

Client Side Testing

API Testing