Methodology

For a huge list of things to test check out the OWASP Web Security Testing Guide

The process outlined here does not cover nearly half of what is covered in the WSTG; however, this is a good process to start with. The steps do not need to be performed in the order outlined here; however, I think this is a pretty good flow for me.

Checklist

• Port scan.

• Nmap scripts scan.

  • This may reveal the OS and HTTP server being used.

• Identify the technologies being used.

  • , , ,

  • Any known vulnerabilities in the application stack?

  • Any specialized tools that can be ran against that technology?

    • , ,

• Directory brute forcing

  • , ,

  • Always brute force new directories

  • The quality of your brute force is only as good as the list you use

• Check common file extensions:

  • php, html, asp, aspx, bak, tmp, txt

• Page brute forcing

  • after identifying the extension(s) used, brute force for specific pages in the discovered directories

• Vulnerability scanners

  • , , ,

• Spider

• Common files

  • robots.txt

  • security.txt

  • sitemap.xml

  • crossdomain.xml

  • clientaccesspolicy.xml

• SSL Certificate

  • Looking for domains, IPs, emails, names

• Identify if there is a web application firewall

  • ,

• Find hidden parameters

• Brute force parameters

  • Parameters can be in the URL, cookies, body of a post request

  • SQLi

  • Directory Traversal

  • File Inclusion

• Locate entry points that accept user input

  • This is where things can get really complicated as there are a lot of ways user input can be vulnerable.

• Check for PUT and MOVE capability

• Check for WebDav

• Check for backup files

• Download all JS files

  • ,

• Look for secrets in the JS files

• Analyze JS files for:

  • Relative URLs

  • Endpoints

  • Hard coded credentials

  • Other potential vulnerabilities

  • , , ,

• • ,

    Resources and Other Checklists