Web Application Scoping

Approach:

Web application assessments can be performed either remotely or on-site, depending on the application’s exposure. The assessment aims to identify any vulnerabilities that can be exploited to attack the system or other users, bypass controls, escalate privileges, or extract sensitive data. The consultants will use proven non-invasive testing techniques during the assessment to identify any weaknesses quickly. The application is viewed and manipulated from several perspectives, including with no credentials, user credentials, and privileged user credentials.

Cyber Alchemy’s web application testing methodology covers the OWASP Top Ten standard, representing a broad consensus about the most critical security risks to web applications. The OWASP Top Ten for 2021 is as follows:

• • A01:2021-Broken Access

• • A02:2021-Cryptographic Failures

• • A03:2021-Injection

• • A04:2021-Insecure Design

• • A05:2021-Security Misconfiguration

• • A06:2021-Vulnerable and Outdated Components

• • A07:2021-Identification and Authentication Failures

• • A08:2021-Software and Data Integrity Failures

• • A09:2021-Security Logging and Monitoring Failures

• • A10:2021-Server-Side Request Forgery

Methodology:

The first step of the engagement is to set primary contacts on both sides, define the testing objectives and set the context. From this, a bespoke approach can be crafted to extract the maximum amount of value from the engagement. Once this has been done, Cyber Alchemy will begin the assessment, covering the following categories of the OWASP testing guide v4.2. Examples of the type of testing and its objectives are given for each category. Specific testing will depend on the technology and protocols implemented and the testing objectives.

Information Gathering

• • Open Source INTelligence (OSINT) reconnaissance of the system.

• • Fingerprinting the technologies in use by the web server and web application.

• • Mapping the application architecture.

Configuration and Deployment Management Testing

• • Test the configuration of the network infrastructure and application platforms.

• • Test the HTTP methods (verbs) that are implemented.

• • Discover sensitive information from unreferenced and hidden files.

• • Test for subdomain takeover.

• • Establish if cloud storage, such as AWS S3 or Azure Blob, is implemented, and if so, we will test for vulnerabilities in the implementation.

Identity Management Testing

• • Testing for account role definitions, in line with best practices such as the principle of least privilege.

• • Account enumeration through functions such as the login or account.

• • Testing that the applications utilise a secure username policy.

• • Testing the user registration and account provisioning processes.

Authentication Testing

• • Find possible brute-force password guessing vectors in the application.

• • Find valid login credentials with password grinding.

• • Assess the lockout policy for failed attempts.

• • Determine the application logic to maintain authentication sessions, such as the number of failures, logins allowed, and login timeouts.

• • Assess the password policy and any other authentication functions.

• • Determine the limitations of access control in the applications – access permissions, login session duration, and idle duration.

Authorisation Testing

• • Testing for directory traversal file inclusion.

• • Testing for bypassing authorisation schema.

• • Testing for privilege escalation.

• • Testing for insecure direct object references.

Session Management Testing

• • Testing to ensure session information is protected through cookie attributes and other measures.

• • Testing session timeout and logout functionality.

• • Testing for session hijacking, session puzzling and session fixation.

• • Testing for Cross-Site Request Forgery.

Input Validation Testing

• • Testing for stored and reflected Cross-Site Scripting (XSS) vulnerabilities.

• • Testing for SQL Injection.

• • Testing for HTTP verb tampering and parameter pollution.

• • Testing for technology-specific injection vectors, such as LDAP, IMAP and SMTP injection.

• • Testing for XML and Xpath Injection.

• • Testing for HTTP splitting and smuggling vulnerabilities.

• • Testing for Host header injection.

• • Testing for Server-side template injection.

• • Testing for Server-side request forgery.

Testing for Error Handling

• • Testing for improper error handling.

• • Testing for stack traces.

Testing for Weak Cryptography

• • Ensuring all areas of the system are protected by strong cryptography, in line with any compliance requirements the system might have.

Business Logic Testing

• • Testing the application based on the context and expected functionality to uncover issues that could allow an attacker to impact the organisation. This could be through areas such as;
    • Application Misuse
    • Circumventing workflows

    • • Bypassing integrity check

• • Testing the business logic inputs for semantic and syntax correctness.

• • Testing for vulnerable file uploads that could, such as uploading a malicious file or file types.

Client-side Testing

• • Testing for client-side injection attacks, such as DOM-Based Cross-Site Scripting (XSS) and HTML injection.

• • Testing for Clickjacking

• • Testing WebSockets implementation.

• • Testing the Cross-Origin Resource Sharing (CORS) implementation.

• • Testing Browser Storage is configured correctly and doesn’t contain unsecured secrets or could be leveraged to conduct an injection attack.

API Testing

• • Testing any API integrations that the web application utilises, applying other areas of the OWASP WTSG to the API, as required.