The document outlines various web application testing techniques that can be performed, many of which do not require permission, except in certain jurisdictions like Spain. It provides guidelines based on the OWASP testing guide, detailing methods for testing vulnerabilities, identifying application entry points, and analyzing the security of session management and user credentials. Additionally, the document emphasizes the importance of ethical considerations in testing practices.

1. Web app testing
without attack traffic
Abraham Aranguren
@7a_
abraham.aranguren@gmail.com
http://7-a.org

2. Intro
33% (22 out of 66) of the tests in the OWASP
Testing guide can be legally* performed at least
partially without permission
* Except in Spain, where visiting a page can be
illegal ☺

3. Legend
Ethics/Scope legend: P
P No Permission needed: No attack traffic
! Mild attack traffic / Could break things
!! You better have written permission ..
Vulnerable vs. Not Vulnerable legend:
Vulnerable
Not Vulnerable

4. Testing: Spiders, Robots, and Crawlers
(OWASP-IG-001)
P
$ wget http://www.google.com/robots.txt
Found: Analyse entries
Not found: Indexing required?

5. Testing: Search engine discovery /
reconnaissance (OWASP-IG-002)
Google site:target.com filetype: inurl:
P
Metadata, DNS, Whois, Company info, staff,
etc..

6. Testing: Identify application entry
points (OWASP-IG-003)
P
Use a proxy and JUST browse the site
Let the proxy log ALL requests
Understand the site
Chain ratproxy to your proxy for cool ideas ☺

7. Testing for Web Application
Fingerprint (OWASP-IG-004)
Get the banner: P
$ curl –i –A “Mozilla ” http://target.com | more

8. Testing for SSL-TLS (OWASP-CM-
001)
No traffic .. P

9. Testing for Admin Interfaces
(OWASP-CM-007)
3rd party stuff on .NET ViewState, headers,.. P
Telerik.Web.UI?? Google it!

10. Testing for Admin Interfaces
(OWASP-CM-007) - continued
Google for default passwords P

11. Testing for Admin Interfaces
(OWASP-CM-007) – continued
!!

12. Testing for Admin Interfaces
(OWASP-CM-007) - continued
!!

13. Testing for HTTP Methods and XST
(OWASP-CM-008)
An OPTIONS request is quite normal: P
curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' -k https://site.com
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 13:38:43 GMT
Server: Apache/2.0.63 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

14. Testing for credentials transport
(OWASP-AT-001)
Is the login page on “http” instead of “https”? P

15. Testing for Default or Guessable User
Account (OWASP-AT-003)
Analyse the username(s) they gave you to test: P
Username based on numbers?
USER12345
Username basic on public info? (i.e. names,
surnames, ..)
name.surname

16. Vulnerable Remember Password and
Pwd Reset (OWASP-AT-006)
Is autocomplete set to off? P
<form autocomplete=“off”>
or
<input autocomplete=“off”>
Look at the questions or fields in the password
reset form

17. Testing for Logout and Browser Cache
Management (OWASP-AT-007)
Easy test: Login + Logout + Back button
P
Or no caching headers / not expiring session cookie:
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 13:38:43 GMT
Server: .
X-Powered-By: .
Connection: close
Content-Type: text/html; charset=UTF-8

18. Testing for Captcha (OWASP-AT-
008)
Can be done offline: P
Download image and try to break it
Look for signs of weak third party components
PWNtcha - captcha decoder

19. Testing for Session Management
Schema (OWASP-SM-001)
Examine cookies for weaknesses offline P
Base64
MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFz
c3dvcmQ6MTU6NTg=
Is
owaspuser:192.168.100.1:
a7656fafe94dae72b1e1487670148412

20. Testing for cookies attributes
(OWASP-SM-002)
Secure: not set = no https P
HttpOnly: not set = cookies stealable via JS
Domain: set properly
Path: set to the right /sub-application
Expires: set reasonably

21. Testing for Session Fixation
(OWASP-SM-003)
Session ID NOT changed after login = Vuln P
Before Login PHPSESSID:
10a966616e8ed63f7a9b741f80e65e3c
After Login PHPSESSID:
10a966616e8ed63f7a9b741f80e65e3c

22. Testing for Exposed Session Variables
(OWASP-SM-004)
Session ID: P
In URL
In POST
In HTML

23. Testing for CSRF (OWASP-SM-005)
Look at HTML code: P
No anti-CSRF token = Vulnerable
Anti-CSRF token = Wait to ACTIVE testing ☺

24. Testing for Bypassing Authorization
Schema (OWASP-AZ-002)
Look at unauthenticated cross-site requests: P
http://other-site.com/user=3&report=4
Referer: site.com
Change ids in application: !
http://site.com/view_doc=4

25. Testing for DOM-based Cross site
scripting (OWASP-DV-003)
Review JavaScript code on the page: P
<script> document.write("Site is at: " +
document.location.href + "."); </script>

26. Testing for Cross site flashing
(OWASP-DV-004)
Download and decompile Flash files: P
$ flare hello.swf
Static / Manual analysis

27. Testing: WS Information Gathering
(OWASP-WS-001)
Google searches: inurl:wsdl site:example.com P
Web service analysis:
http://www.example.com/ws/FindIP.asmx?WSDL
Public services search:
http://seekda.com/
http://www.wsindex.org/
http://www.soapclient.com/

28. Testing for WS Replay (OWASP-WS-
007)
Similar to CSRF: P
Is there an anti-replay token in the
request/response?

29. Testing for file extensions handling
(OWASP-CM-005)
_some_ attack traffic but subtle. File Uploads: !!
If upload.php or .asp, .html, .. is allowed by app
A valid GIF or JPG comment can be a valid
PHP script, etc ..
Difference from attack to legit can be subtle
File uploads are POST = 99% not logged

30. Testing for user enumeration
(OWASP-AT-002)
Error messages !
Time differences

31. Testing for Reflected/Stored Cross site
scripting (OWASP-DV-001+2)
Subtle look for signs of output encoding: !
O’Brien O&apos;Brien
O”Brien O&quot;Brien or O%22Brien
Ted..> Ted..&gt; or Ted..%3E
Ted,< Ted,.&lt; or Ted..%3C
Charset, etc..

32. Testing for SQL Injection (OWASP-
DV-005)
Do you get a SQL error? !
Strings: O’Brien
IDs: Instead of “1” type “1l” or “1 l”

33. Thank you
Abraham Aranguren
@7a_
abraham.aranguren@gmail.com
http://7-a.org
Special thanks to:
OWASP Testing Guide contributors
Mario Heiderich
Chris John Riley
Robin Wood