This document provides guidance on how to start web application penetration testing. It recommends gaining basic knowledge of web technologies like HTTP, HTML, and JavaScript as well as common web vulnerabilities. Tools mentioned include web proxies like Burp Suite and web spiders. The workflow outlined includes information gathering, authentication testing, session management testing, authorization testing, parameter fuzzing, file uploads testing, and denial of service testing. Specific techniques are described for each part of the testing process, such as identifying all application entry points, brute forcing credentials, investigating session tokens, and ensuring proper session termination.

1. How to start in web-application penetration testing

2. Max Dzhalamaga
How to start in web-application
penetration testing

3. What I need for start?
Skin-deep knowledge:
• Web technologies
• Http protocol
• Html
• JavaScript
• Web vulnerabilities

4. Tools:
• Web proxies:
• Fiddler
• Burp Suite
• …
• Web spiders:
• Burp Suite
• WebScarab
• …
What I need for start?

5. Workflow
• Information gathering
• Test authentication
• Test session management
• Test authorization
• Fuzz parameters
• File Uploads
• Denial of Service

6. Information gathering
• Manual surfing
• Robots.txt
• Spidering
• Search in public sources
• User-Directed Spidering

7. Information gathering
• Hidden content
• Comments
• Logical names
• Brute-Force
• HTTP headers
• Vulnerability in third-party components
• Answers from server (Server header, custom headers, html templates)
• Default content (Wikto)
• Identify all entry points

8. Test authentication
• Determine the type of authentication mechanism
• HTML forms-based authentication
• HTTP basic and digest authentication
• Client SSL certificates and/or smartcards
• …
• Check the required password complexity
• Review the rules
• Try to register accounts
• Try to change password
• Very short or blank
• Common dictionary words or names
• The same as the username
• Still set to a default value
Administrative passwords may in fact be weaker than the password
policy allows.
password
website name
12345678
qwerty
abc123
111111
monkey
12345
Login name

9. Test authentication
• Test for delay after login with wrong credentials
• Duration of the lockout
• Number of failed attempts
• The way, how server detects it
• Test the error handle mechanism
• Difference between messages text
• Minor differences in responses
• Different time of response

10. Test authentication
• Test “change password” functionality
• Verbose error message if invalid username
• Brute-force of password
• Username enumeration
• Test “password recovery” functionality
• Simple questions
• Brute-force of answer easier than password

11. Test authentication
• Test “remember me” functionality
• Simple persistent cookie: Remember=username;
• Identifier of user: Remember=475;
• Brute-Force credentials

12. Test session management
• Investigate session Token
• Try to decrypt
• Try changing the token’s value one byte at a time
• Brute-Force token value
• Session termination and Log out functionality

13. Test session management
• Ways of stealing token
• XSS
• Session fixation
• Cookie’s parameters
• Path restriction
• Domain restriction
• Secure
• HttpOnly

15. To add text
To add Title