1 00:00:11,120 --> 00:00:12,000 hey everyone 2 00:00:12,000 --> 00:00:13,920 my name is j.r johnson and my talk today 3 00:00:13,920 --> 00:00:15,040 is going to be a 4 00:00:15,040 --> 00:00:17,039 crash course for web application 5 00:00:17,039 --> 00:00:20,080 penetration testing 6 00:00:20,720 --> 00:00:22,800 so first just a little bit of background 7 00:00:22,800 --> 00:00:25,039 about me i'm a principal security 8 00:00:25,039 --> 00:00:25,840 engineer at 9 00:00:25,840 --> 00:00:29,519 triaxium security i've got a bunch of 10 00:00:29,519 --> 00:00:30,000 letters 11 00:00:30,000 --> 00:00:31,760 up to this point in my career including 12 00:00:31,760 --> 00:00:34,079 some web app related certs from sans and 13 00:00:34,079 --> 00:00:35,200 offset 14 00:00:35,200 --> 00:00:38,480 um more importantly i'm a dad uh to two 15 00:00:38,480 --> 00:00:41,680 mostly wonderful kids i enjoy competing 16 00:00:41,680 --> 00:00:43,600 in ctfs with the other guys on our pen 17 00:00:43,600 --> 00:00:44,559 test team 18 00:00:44,559 --> 00:00:46,800 and i also enjoy collecting and drinking 19 00:00:46,800 --> 00:00:49,520 bourbons and ryes 20 00:00:49,520 --> 00:00:51,199 there's my twitter and discord handles 21 00:00:51,199 --> 00:00:52,640 if you have any questions during or 22 00:00:52,640 --> 00:00:53,520 after the talk 23 00:00:53,520 --> 00:00:55,520 i'm pre-recording this so i can respond 24 00:00:55,520 --> 00:00:57,680 to any questions that come up 25 00:00:57,680 --> 00:00:59,920 live during the talk so reach out to me 26 00:00:59,920 --> 00:01:02,879 on twitter discord 27 00:01:04,400 --> 00:01:05,680 a little bit more about me so i don't 28 00:01:05,680 --> 00:01:07,280 normally do this much background on 29 00:01:07,280 --> 00:01:08,000 myself 30 00:01:08,000 --> 00:01:09,439 but i added this slide in because i 31 00:01:09,439 --> 00:01:11,920 think it's it's valuable to understand 32 00:01:11,920 --> 00:01:13,840 how i got into pen testing and kind of 33 00:01:13,840 --> 00:01:16,640 what perspective i'm approaching it from 34 00:01:16,640 --> 00:01:19,360 so i spent a little over seven years as 35 00:01:19,360 --> 00:01:21,040 primarily a full stack developer 36 00:01:21,040 --> 00:01:22,880 supporting the air force 37 00:01:22,880 --> 00:01:25,520 during that time i accumulated a lot of 38 00:01:25,520 --> 00:01:27,920 different responsibilities 39 00:01:27,920 --> 00:01:29,920 things like server enclave management 40 00:01:29,920 --> 00:01:32,000 certification accreditation 41 00:01:32,000 --> 00:01:34,320 that started to shift my focus more 42 00:01:34,320 --> 00:01:36,799 toward application security 43 00:01:36,799 --> 00:01:39,680 ultimately before i left that job i 44 00:01:39,680 --> 00:01:41,360 started performing cyber security 45 00:01:41,360 --> 00:01:42,560 evaluations 46 00:01:42,560 --> 00:01:44,479 for command and control systems used by 47 00:01:44,479 --> 00:01:45,840 joint services 48 00:01:45,840 --> 00:01:47,439 which really kind of convinced me to 49 00:01:47,439 --> 00:01:49,119 make the full jump over to the private 50 00:01:49,119 --> 00:01:50,799 sector and start doing penetration 51 00:01:50,799 --> 00:01:52,960 testing 52 00:01:52,960 --> 00:01:54,799 with that background when i got into the 53 00:01:54,799 --> 00:01:56,479 private sector obviously web 54 00:01:56,479 --> 00:01:58,479 applications kind of naturally became my 55 00:01:58,479 --> 00:01:59,280 specialty 56 00:01:59,280 --> 00:02:01,520 when i was working as a consultant so 57 00:02:01,520 --> 00:02:03,840 and as a lot of you probably know 58 00:02:03,840 --> 00:02:05,759 when you work as a consultant that does 59 00:02:05,759 --> 00:02:07,520 penetration testing 60 00:02:07,520 --> 00:02:09,280 you get to work with a really diverse 61 00:02:09,280 --> 00:02:10,720 set of organizations 62 00:02:10,720 --> 00:02:13,599 and so i got to see a lot of different 63 00:02:13,599 --> 00:02:15,360 types of applications a lot of different 64 00:02:15,360 --> 00:02:16,319 architectures 65 00:02:16,319 --> 00:02:17,920 over the past several years working as a 66 00:02:17,920 --> 00:02:22,560 penetration tester 67 00:02:22,560 --> 00:02:25,280 and so during those years and more 68 00:02:25,280 --> 00:02:26,640 specifically as i was kind of 69 00:02:26,640 --> 00:02:27,599 researching this 70 00:02:27,599 --> 00:02:31,440 talk um one thing was pretty clear 71 00:02:31,440 --> 00:02:35,280 people absolutely love the owasp top 10. 72 00:02:35,280 --> 00:02:38,480 every talk i watched preparing for this 73 00:02:38,480 --> 00:02:40,879 that was even remotely related to pen 74 00:02:40,879 --> 00:02:41,680 testing 75 00:02:41,680 --> 00:02:44,239 had an oauth top 10 slide or was 76 00:02:44,239 --> 00:02:46,239 covering the oauth top 10. 77 00:02:46,239 --> 00:02:48,319 um and don't get me wrong there's 78 00:02:48,319 --> 00:02:50,160 certainly value there and the olaf's top 79 00:02:50,160 --> 00:02:52,000 10 is important 80 00:02:52,000 --> 00:02:54,319 but you know it's not really the focal 81 00:02:54,319 --> 00:02:55,040 point of 82 00:02:55,040 --> 00:02:58,799 thoroughly testing an application 83 00:02:59,040 --> 00:03:00,959 and so that kind of led me to organizing 84 00:03:00,959 --> 00:03:03,760 this as a primer for web app pen testing 85 00:03:03,760 --> 00:03:04,720 based on 86 00:03:04,720 --> 00:03:07,200 my real world approach so this is what 87 00:03:07,200 --> 00:03:09,040 i've used to train other penetration 88 00:03:09,040 --> 00:03:09,599 testers 89 00:03:09,599 --> 00:03:12,000 in this space over the past several 90 00:03:12,000 --> 00:03:14,239 years it's what i continue to use 91 00:03:14,239 --> 00:03:17,200 as i do application penetration testing 92 00:03:17,200 --> 00:03:19,120 or as i encounter applications and other 93 00:03:19,120 --> 00:03:21,840 types of testing 94 00:03:21,840 --> 00:03:25,040 and so just for basic background 95 00:03:25,040 --> 00:03:28,159 the oauth top 10 is not a testing 96 00:03:28,159 --> 00:03:29,680 methodology 97 00:03:29,680 --> 00:03:33,599 it's a categorization of vulnerabilities 98 00:03:33,599 --> 00:03:36,640 you know based on industry surveys 99 00:03:36,640 --> 00:03:38,799 that were sent out so it kind of 100 00:03:38,799 --> 00:03:40,959 categorizes them into these groups and 101 00:03:40,959 --> 00:03:41,680 ranks them 102 00:03:41,680 --> 00:03:45,280 by impact and prevalence and it's a good 103 00:03:45,280 --> 00:03:46,080 thing because it 104 00:03:46,080 --> 00:03:48,319 can be used to educate companies on how 105 00:03:48,319 --> 00:03:49,920 they can weed out those vulnerabilities 106 00:03:49,920 --> 00:03:52,000 and their development processes 107 00:03:52,000 --> 00:03:54,000 it gives them an idea of some of these 108 00:03:54,000 --> 00:03:55,439 really important things they should be 109 00:03:55,439 --> 00:03:58,239 looking for and trying to avoid 110 00:03:58,239 --> 00:04:00,239 but ultimately as i mentioned it's not 111 00:04:00,239 --> 00:04:02,319 going to teach a penetration tester how 112 00:04:02,319 --> 00:04:05,040 to conduct an assessment 113 00:04:05,040 --> 00:04:08,159 owasp does have a security testing guide 114 00:04:08,159 --> 00:04:09,200 which they publish 115 00:04:09,200 --> 00:04:11,840 which is very detailed um and it's a 116 00:04:11,840 --> 00:04:13,519 really great reference to use during 117 00:04:13,519 --> 00:04:14,400 testing 118 00:04:14,400 --> 00:04:17,600 but it's more of a checklist of making 119 00:04:17,600 --> 00:04:19,759 sure you've covered everything 120 00:04:19,759 --> 00:04:22,240 rather than an approachable process as 121 00:04:22,240 --> 00:04:24,320 you're evaluating an application 122 00:04:24,320 --> 00:04:27,680 so it's a little bit of a complex set of 123 00:04:27,680 --> 00:04:28,880 vulnerabilities that you should be 124 00:04:28,880 --> 00:04:29,680 looking for 125 00:04:29,680 --> 00:04:31,520 but they're not really in a particular 126 00:04:31,520 --> 00:04:33,440 order where you can you know kind of 127 00:04:33,440 --> 00:04:36,400 run down the list 128 00:04:36,479 --> 00:04:39,199 and ultimately a ton of talks in this 129 00:04:39,199 --> 00:04:41,040 space in web application security in 130 00:04:41,040 --> 00:04:42,320 general focus 131 00:04:42,320 --> 00:04:44,320 on some really cool attacks some 132 00:04:44,320 --> 00:04:46,240 relevant exploits 133 00:04:46,240 --> 00:04:48,400 or things that are particular to a 134 00:04:48,400 --> 00:04:50,800 certain technology or stack 135 00:04:50,800 --> 00:04:52,720 but these things don't apply in all 136 00:04:52,720 --> 00:04:54,160 situations 137 00:04:54,160 --> 00:04:55,919 so one of the things i didn't find as i 138 00:04:55,919 --> 00:04:57,919 was looking through all these different 139 00:04:57,919 --> 00:04:59,840 talks and looking for 140 00:04:59,840 --> 00:05:01,840 other industry resources is a more 141 00:05:01,840 --> 00:05:03,680 realistic approach to penetration 142 00:05:03,680 --> 00:05:05,360 testing something they can use that you 143 00:05:05,360 --> 00:05:06,320 can use 144 00:05:06,320 --> 00:05:08,840 that's more repeatable and in every 145 00:05:08,840 --> 00:05:11,840 scenario 146 00:05:12,000 --> 00:05:14,479 and so that kind of led to to this talk 147 00:05:14,479 --> 00:05:15,360 ultimately and 148 00:05:15,360 --> 00:05:18,400 and so when we're going through this why 149 00:05:18,400 --> 00:05:19,600 should you care 150 00:05:19,600 --> 00:05:21,600 um well first and foremost if you're a 151 00:05:21,600 --> 00:05:22,880 penetration tester 152 00:05:22,880 --> 00:05:24,800 the goal here is to start off with a 153 00:05:24,800 --> 00:05:27,039 basic repeatable approach that works for 154 00:05:27,039 --> 00:05:29,199 any application you encounter 155 00:05:29,199 --> 00:05:33,039 this is going to be across uh 156 00:05:33,039 --> 00:05:34,880 every type of penetration testing really 157 00:05:34,880 --> 00:05:36,560 so you know this is going to focus on 158 00:05:36,560 --> 00:05:38,960 web application penetration testing 159 00:05:38,960 --> 00:05:41,199 specifically but it's got applications 160 00:05:41,199 --> 00:05:42,960 in network level testing where you may 161 00:05:42,960 --> 00:05:44,720 find an application on an external 162 00:05:44,720 --> 00:05:46,880 perimeter of an organization 163 00:05:46,880 --> 00:05:49,120 or internal penetration testing maybe 164 00:05:49,120 --> 00:05:50,400 when you're running out of 165 00:05:50,400 --> 00:05:52,080 options on an internal network so you 166 00:05:52,080 --> 00:05:53,360 start looking and digging into 167 00:05:53,360 --> 00:05:56,560 applications a little bit more 168 00:05:56,560 --> 00:05:58,720 through each of these different 169 00:05:58,720 --> 00:06:00,400 approaches or areas that you might 170 00:06:00,400 --> 00:06:02,160 encounter web applications 171 00:06:02,160 --> 00:06:03,520 the goal here is to just give you a 172 00:06:03,520 --> 00:06:05,440 consistent approach to identify more 173 00:06:05,440 --> 00:06:06,560 vulnerabilities 174 00:06:06,560 --> 00:06:08,000 so you feel comfortable when you start 175 00:06:08,000 --> 00:06:10,400 looking at applications 176 00:06:10,400 --> 00:06:12,160 and if you're a blue team or a developer 177 00:06:12,160 --> 00:06:13,520 there's still a lot that you can learn 178 00:06:13,520 --> 00:06:14,240 from 179 00:06:14,240 --> 00:06:16,800 this material today if you can 180 00:06:16,800 --> 00:06:17,759 understand 181 00:06:17,759 --> 00:06:19,680 how an attacker thinks about your 182 00:06:19,680 --> 00:06:21,039 applications 183 00:06:21,039 --> 00:06:23,039 that you're trying to defend you could 184 00:06:23,039 --> 00:06:24,800 better identify the tax 185 00:06:24,800 --> 00:06:25,919 the attacks that they're going to be 186 00:06:25,919 --> 00:06:28,319 using and it'll help you 187 00:06:28,319 --> 00:06:30,319 cut those attacks off earlier in the 188 00:06:30,319 --> 00:06:32,080 kill chain potentially 189 00:06:32,080 --> 00:06:35,840 yes i just said kill chain so drink 190 00:06:38,240 --> 00:06:39,919 and so a brief overview of what we're 191 00:06:39,919 --> 00:06:41,600 going to cover today 192 00:06:41,600 --> 00:06:43,520 so i'm going to touch on what makes web 193 00:06:43,520 --> 00:06:45,440 application penetration testing unique 194 00:06:45,440 --> 00:06:46,880 first of all compared to the other types 195 00:06:46,880 --> 00:06:48,560 of assessments that are out there 196 00:06:48,560 --> 00:06:50,800 and why this is a more unique problem to 197 00:06:50,800 --> 00:06:52,639 web app pen testing than say 198 00:06:52,639 --> 00:06:54,479 coming up with a process for an external 199 00:06:54,479 --> 00:06:56,319 pen test 200 00:06:56,319 --> 00:06:57,520 and then we're going to talk through 201 00:06:57,520 --> 00:06:59,599 what that realistic high-level 202 00:06:59,599 --> 00:07:01,360 assessment approach that can be used 203 00:07:01,360 --> 00:07:03,360 is so we'll start with planning and 204 00:07:03,360 --> 00:07:04,880 we'll work our way all through 205 00:07:04,880 --> 00:07:07,759 qa and reporting 206 00:07:08,479 --> 00:07:10,960 and so like i said uh web applications 207 00:07:10,960 --> 00:07:11,599 are 208 00:07:11,599 --> 00:07:15,039 unique so as an attack target 209 00:07:15,039 --> 00:07:17,680 there are um some differences and some 210 00:07:17,680 --> 00:07:18,960 things to consider when you're when 211 00:07:18,960 --> 00:07:21,199 you're looking at them 212 00:07:21,199 --> 00:07:22,960 first and foremost web applications are 213 00:07:22,960 --> 00:07:24,400 important um so 214 00:07:24,400 --> 00:07:27,520 in more and more cases uh applications 215 00:07:27,520 --> 00:07:28,720 represent 216 00:07:28,720 --> 00:07:31,360 you know the primary if not the only 217 00:07:31,360 --> 00:07:33,039 things that organizations are exposing 218 00:07:33,039 --> 00:07:34,400 to the internet 219 00:07:34,400 --> 00:07:36,080 we're seeing more and more attack 220 00:07:36,080 --> 00:07:38,000 surface get cut off through the use of 221 00:07:38,000 --> 00:07:38,720 vpn 222 00:07:38,720 --> 00:07:41,280 of multi-factor authentication on things 223 00:07:41,280 --> 00:07:43,039 like vpn and email 224 00:07:43,039 --> 00:07:45,199 and so attackers are focusing on other 225 00:07:45,199 --> 00:07:48,319 targets like web applications 226 00:07:48,319 --> 00:07:51,520 in addition to that applications are 227 00:07:51,520 --> 00:07:53,919 often driving the core 228 00:07:53,919 --> 00:07:56,879 business of organizations now so what do 229 00:07:56,879 --> 00:07:57,599 i mean by that 230 00:07:57,599 --> 00:08:00,080 things like sas companies companies with 231 00:08:00,080 --> 00:08:01,840 an e-commerce presence 232 00:08:01,840 --> 00:08:04,160 the impact of application compromises 233 00:08:04,160 --> 00:08:06,240 can be extremely high 234 00:08:06,240 --> 00:08:07,919 when your business model is focused on 235 00:08:07,919 --> 00:08:09,520 these applications staying up 236 00:08:09,520 --> 00:08:12,160 not being compromised things like that 237 00:08:12,160 --> 00:08:12,960 so 238 00:08:12,960 --> 00:08:15,680 overall web applications are important 239 00:08:15,680 --> 00:08:16,639 um 240 00:08:16,639 --> 00:08:19,039 you know quick statistic from a recent 241 00:08:19,039 --> 00:08:21,039 report i saw from forrester on the state 242 00:08:21,039 --> 00:08:22,560 of application security 243 00:08:22,560 --> 00:08:25,919 uh 42 percent of organizations that had 244 00:08:25,919 --> 00:08:27,759 experienced an external attack 245 00:08:27,759 --> 00:08:29,360 blame the incident on a software 246 00:08:29,360 --> 00:08:31,440 security flaw now 247 00:08:31,440 --> 00:08:33,200 take this work you will you know this is 248 00:08:33,200 --> 00:08:34,958 just some random statistic i think the 249 00:08:34,958 --> 00:08:36,559 number might be a little high honestly 250 00:08:36,559 --> 00:08:38,000 if you had to ask me 251 00:08:38,000 --> 00:08:40,320 but the point still stands as network 252 00:08:40,320 --> 00:08:42,799 security improves in other ways 253 00:08:42,799 --> 00:08:45,279 attackers have to shift their focus so a 254 00:08:45,279 --> 00:08:46,640 lot of times we're talking about this in 255 00:08:46,640 --> 00:08:48,240 the context of social engineering which 256 00:08:48,240 --> 00:08:49,839 is certainly still true 257 00:08:49,839 --> 00:08:52,839 but this also applies to exposed web 258 00:08:52,839 --> 00:08:55,839 applications 259 00:08:56,480 --> 00:08:59,040 and so when you're looking at a web 260 00:08:59,040 --> 00:08:59,839 application 261 00:08:59,839 --> 00:09:01,760 typically there are some starting points 262 00:09:01,760 --> 00:09:03,760 for our approach that are true most of 263 00:09:03,760 --> 00:09:05,440 the time 264 00:09:05,440 --> 00:09:06,880 if you're calling something a web 265 00:09:06,880 --> 00:09:08,720 application penetration desk it really 266 00:09:08,720 --> 00:09:09,680 needs to be 267 00:09:09,680 --> 00:09:13,200 an authenticated assessment um if you 268 00:09:13,200 --> 00:09:15,440 just do unauthenticated web app testing 269 00:09:15,440 --> 00:09:16,720 it's kind of like having a home 270 00:09:16,720 --> 00:09:18,000 inspection 271 00:09:18,000 --> 00:09:20,000 but you know they're just checking if 272 00:09:20,000 --> 00:09:21,519 the front door is locked maybe checking 273 00:09:21,519 --> 00:09:22,959 around the house to see if the outside 274 00:09:22,959 --> 00:09:23,839 of it looks good 275 00:09:23,839 --> 00:09:25,279 they're never actually going into the 276 00:09:25,279 --> 00:09:27,279 house so there's so much that could be 277 00:09:27,279 --> 00:09:29,040 wrong inside but you never know if 278 00:09:29,040 --> 00:09:30,560 you're not doing authenticated testing 279 00:09:30,560 --> 00:09:31,920 for an application that you're really 280 00:09:31,920 --> 00:09:34,320 trying to evaluate 281 00:09:34,320 --> 00:09:35,760 and that's why in most cases web 282 00:09:35,760 --> 00:09:37,200 application penetration tests are 283 00:09:37,200 --> 00:09:38,320 conducted as 284 00:09:38,320 --> 00:09:41,120 gray box assessments um you know we're 285 00:09:41,120 --> 00:09:43,120 given some things maybe an application 286 00:09:43,120 --> 00:09:43,920 walkthrough 287 00:09:43,920 --> 00:09:45,839 uh some credentials to authenticate as 288 00:09:45,839 --> 00:09:47,279 different user roles 289 00:09:47,279 --> 00:09:49,200 maybe we're given some information about 290 00:09:49,200 --> 00:09:51,040 the architecture or the business use 291 00:09:51,040 --> 00:09:51,839 cases 292 00:09:51,839 --> 00:09:53,440 but most of the time we're not going to 293 00:09:53,440 --> 00:09:55,839 have full access to source code 294 00:09:55,839 --> 00:09:58,320 a lot of organizations will kind of 295 00:09:58,320 --> 00:10:00,000 categorize this as a separate type of 296 00:10:00,000 --> 00:10:00,880 assessment 297 00:10:00,880 --> 00:10:03,440 that's usually a lot more thorough so 298 00:10:03,440 --> 00:10:04,560 this is not going to be 299 00:10:04,560 --> 00:10:06,320 kind of the norm for what most 300 00:10:06,320 --> 00:10:07,600 organizations can 301 00:10:07,600 --> 00:10:10,880 afford or what they're ready for 302 00:10:12,160 --> 00:10:15,279 but you know what makes web app testing 303 00:10:15,279 --> 00:10:17,440 different given all these things well 304 00:10:17,440 --> 00:10:19,600 first and foremost every application you 305 00:10:19,600 --> 00:10:21,360 encounter is going to be different um 306 00:10:21,360 --> 00:10:23,279 just from the sense of 307 00:10:23,279 --> 00:10:25,040 the tech stack it's using you know what 308 00:10:25,040 --> 00:10:26,320 language it's written in 309 00:10:26,320 --> 00:10:28,480 what framework it's leveraging uh the 310 00:10:28,480 --> 00:10:29,920 underlying architecture 311 00:10:29,920 --> 00:10:32,880 you know everything from cloud 312 00:10:32,880 --> 00:10:34,160 architecture now 313 00:10:34,160 --> 00:10:36,800 uh to linux versus windows operating 314 00:10:36,800 --> 00:10:37,600 systems 315 00:10:37,600 --> 00:10:40,720 to um how is it built or how 316 00:10:40,720 --> 00:10:42,240 how does the traffic flow through the 317 00:10:42,240 --> 00:10:44,000 application you know is it 318 00:10:44,000 --> 00:10:46,320 a thin front end where there's an api 319 00:10:46,320 --> 00:10:47,200 are using 320 00:10:47,200 --> 00:10:49,279 what all these different things create 321 00:10:49,279 --> 00:10:51,760 these unique combinations 322 00:10:51,760 --> 00:10:54,000 and each unique combination has a unique 323 00:10:54,000 --> 00:10:55,040 attack surface 324 00:10:55,040 --> 00:10:57,360 so a standard testing checklist is 325 00:10:57,360 --> 00:10:59,200 extremely difficult when we're talking 326 00:10:59,200 --> 00:11:00,880 about web applications 327 00:11:00,880 --> 00:11:03,680 um web applications are all going to be 328 00:11:03,680 --> 00:11:04,959 unique they're all going to be different 329 00:11:04,959 --> 00:11:05,519 so you 330 00:11:05,519 --> 00:11:06,800 there's certain things that just aren't 331 00:11:06,800 --> 00:11:09,040 going to apply you have to really 332 00:11:09,040 --> 00:11:09,920 consider 333 00:11:09,920 --> 00:11:13,040 what you're looking at and how to to 334 00:11:13,040 --> 00:11:14,959 kind of manipulate your checklist 335 00:11:14,959 --> 00:11:18,479 to work in every scenario 336 00:11:19,120 --> 00:11:20,399 and so that's what we want to try and do 337 00:11:20,399 --> 00:11:22,320 here i want to try and address some of 338 00:11:22,320 --> 00:11:23,360 those challenges 339 00:11:23,360 --> 00:11:26,720 to create a baseline just a simple 340 00:11:26,720 --> 00:11:30,160 basic repeatable approach that you can 341 00:11:30,160 --> 00:11:32,000 use in any situation when you're trying 342 00:11:32,000 --> 00:11:33,440 to evaluate the security of a web 343 00:11:33,440 --> 00:11:36,000 application 344 00:11:36,560 --> 00:11:38,399 and so here's what you know the high 345 00:11:38,399 --> 00:11:40,640 level process i'm proposing looks like 346 00:11:40,640 --> 00:11:42,320 so this is what i tend to use as we're 347 00:11:42,320 --> 00:11:44,560 going through an application 348 00:11:44,560 --> 00:11:47,040 and you know these steps should be 349 00:11:47,040 --> 00:11:48,079 somewhat familiar 350 00:11:48,079 --> 00:11:49,519 you can break them down in a lot of 351 00:11:49,519 --> 00:11:51,519 different ways and you know maybe you'll 352 00:11:51,519 --> 00:11:52,800 want to customize this is 353 00:11:52,800 --> 00:11:54,079 something you're going to use over and 354 00:11:54,079 --> 00:11:56,000 over again but ultimately the 355 00:11:56,000 --> 00:11:57,760 five steps that we've broken this into 356 00:11:57,760 --> 00:11:59,760 are planning and preparation which is 357 00:11:59,760 --> 00:12:00,320 basically 358 00:12:00,320 --> 00:12:02,240 everything you need to do before you 359 00:12:02,240 --> 00:12:04,160 start testing anything 360 00:12:04,160 --> 00:12:06,480 then we've got unauthenticated testing 361 00:12:06,480 --> 00:12:07,839 so this is the part of testing where 362 00:12:07,839 --> 00:12:10,160 you're basically emulating an attacker 363 00:12:10,160 --> 00:12:12,639 on the outside trying to break in trying 364 00:12:12,639 --> 00:12:13,360 to 365 00:12:13,360 --> 00:12:15,839 gather sensitive information anything 366 00:12:15,839 --> 00:12:17,440 that you can do that doesn't require 367 00:12:17,440 --> 00:12:20,079 credentials to the application 368 00:12:20,079 --> 00:12:22,000 then we focus on the login process so 369 00:12:22,000 --> 00:12:23,600 basically everything that happens 370 00:12:23,600 --> 00:12:25,360 as you authenticate to the application 371 00:12:25,360 --> 00:12:27,040 and how the application 372 00:12:27,040 --> 00:12:30,079 application tracks your state so what 373 00:12:30,079 --> 00:12:31,440 what state you're in how it performs 374 00:12:31,440 --> 00:12:32,880 session management 375 00:12:32,880 --> 00:12:35,360 um and then the authenticated testing 376 00:12:35,360 --> 00:12:36,320 piece which is 377 00:12:36,320 --> 00:12:37,680 most of the time going to be the bulk of 378 00:12:37,680 --> 00:12:40,160 your testing but basically looking for 379 00:12:40,160 --> 00:12:41,200 all these different types of 380 00:12:41,200 --> 00:12:42,959 vulnerabilities after you've logged into 381 00:12:42,959 --> 00:12:44,800 the application 382 00:12:44,800 --> 00:12:47,040 and finally just hit on some things that 383 00:12:47,040 --> 00:12:48,560 are important to keep in mind as you 384 00:12:48,560 --> 00:12:49,600 wrap up with 385 00:12:49,600 --> 00:12:51,040 quality assurance processes and 386 00:12:51,040 --> 00:12:54,719 reporting for an assessment 387 00:12:55,519 --> 00:12:58,880 so first plenty of preparation 388 00:12:58,880 --> 00:13:01,680 at this point you're really just getting 389 00:13:01,680 --> 00:13:03,200 ready to test something so 390 00:13:03,200 --> 00:13:04,800 there's really nothing technical you 391 00:13:04,800 --> 00:13:06,560 need to be doing at this point 392 00:13:06,560 --> 00:13:08,000 you need to have all the necessary 393 00:13:08,000 --> 00:13:10,320 paperwork in place things like contracts 394 00:13:10,320 --> 00:13:11,200 your roe 395 00:13:11,200 --> 00:13:13,760 prior to getting started there's plenty 396 00:13:13,760 --> 00:13:14,560 of other 397 00:13:14,560 --> 00:13:16,399 talks that have gone through things like 398 00:13:16,399 --> 00:13:18,320 this you've got to get some 399 00:13:18,320 --> 00:13:20,720 target information credentials from 400 00:13:20,720 --> 00:13:22,720 whoever you're doing the testing for 401 00:13:22,720 --> 00:13:24,639 and make sure you understand any 402 00:13:24,639 --> 00:13:26,000 restrictions that are in place for your 403 00:13:26,000 --> 00:13:27,680 testing any areas of the application 404 00:13:27,680 --> 00:13:29,760 that are off limits what is and is not 405 00:13:29,760 --> 00:13:32,320 in scope you know in a lot of cases 406 00:13:32,320 --> 00:13:33,680 maybe you're going to get an application 407 00:13:33,680 --> 00:13:34,000 walk 408 00:13:34,000 --> 00:13:36,560 through from a stakeholder of the 409 00:13:36,560 --> 00:13:37,519 application 410 00:13:37,519 --> 00:13:39,279 on how they use it just so you could 411 00:13:39,279 --> 00:13:40,639 kind of have a little bit more context 412 00:13:40,639 --> 00:13:42,320 as far as a use case or what 413 00:13:42,320 --> 00:13:44,800 normal usage of the application uh looks 414 00:13:44,800 --> 00:13:45,760 like 415 00:13:45,760 --> 00:13:46,959 and that'll kind of help inform your 416 00:13:46,959 --> 00:13:49,680 testing too um and 417 00:13:49,680 --> 00:13:52,000 ultimately for all these things uh we're 418 00:13:52,000 --> 00:13:53,440 not going to spend too much time here 419 00:13:53,440 --> 00:13:55,120 during this talk 420 00:13:55,120 --> 00:13:57,120 you know really this isn't the 421 00:13:57,120 --> 00:13:58,720 interesting stuff so there's no reason 422 00:13:58,720 --> 00:14:00,480 to spend too much time here 423 00:14:00,480 --> 00:14:01,920 and then there are other talks that 424 00:14:01,920 --> 00:14:03,680 focus on you know 425 00:14:03,680 --> 00:14:07,440 penetration testing preparation um 426 00:14:07,440 --> 00:14:09,120 that that is repeatable and things that 427 00:14:09,120 --> 00:14:11,680 you can do for any type of assessment so 428 00:14:11,680 --> 00:14:14,079 but with this with your preparation i do 429 00:14:14,079 --> 00:14:15,839 want to touch on some important 430 00:14:15,839 --> 00:14:17,760 considerations with your tooling at this 431 00:14:17,760 --> 00:14:19,760 point 432 00:14:19,760 --> 00:14:21,120 so this is probably going to be the most 433 00:14:21,120 --> 00:14:23,120 specific i get in this talk and just 434 00:14:23,120 --> 00:14:23,760 talking 435 00:14:23,760 --> 00:14:25,680 through some of the things to keep in 436 00:14:25,680 --> 00:14:27,680 mind as you're getting ready to do 437 00:14:27,680 --> 00:14:29,199 testing 438 00:14:29,199 --> 00:14:31,519 the most important tool in our toolkit 439 00:14:31,519 --> 00:14:33,600 as web application penetration testers 440 00:14:33,600 --> 00:14:36,320 is arguably whatever intercepting proxy 441 00:14:36,320 --> 00:14:37,519 we're going to use for the app for the 442 00:14:37,519 --> 00:14:39,440 assessment 443 00:14:39,440 --> 00:14:41,920 i primarily use burp suite pro i think 444 00:14:41,920 --> 00:14:43,519 it's by far the most prevalent at this 445 00:14:43,519 --> 00:14:45,120 point in my experience and i just really 446 00:14:45,120 --> 00:14:47,920 think it's the best for this 447 00:14:47,920 --> 00:14:49,519 but when you're using this and you know 448 00:14:49,519 --> 00:14:50,800 these things can apply for every 449 00:14:50,800 --> 00:14:52,240 intercepting proxy but you'll see my 450 00:14:52,240 --> 00:14:54,240 screenshots do use burp suite as the 451 00:14:54,240 --> 00:14:55,360 example 452 00:14:55,360 --> 00:14:57,360 there's going to be a few tips that will 453 00:14:57,360 --> 00:14:59,760 help save you time and make sure you're 454 00:14:59,760 --> 00:15:01,120 you're consistent in how you're 455 00:15:01,120 --> 00:15:02,880 assessing applications 456 00:15:02,880 --> 00:15:06,240 moving forward um the first thing here 457 00:15:06,240 --> 00:15:07,519 is just to always 458 00:15:07,519 --> 00:15:10,320 always start projects that are saved to 459 00:15:10,320 --> 00:15:12,160 disk 460 00:15:12,160 --> 00:15:13,440 you know this is something that i've 461 00:15:13,440 --> 00:15:14,880 learned the hard way unfortunately from 462 00:15:14,880 --> 00:15:16,399 time to time it's very easy to just 463 00:15:16,399 --> 00:15:17,920 start up temporary projects as you're 464 00:15:17,920 --> 00:15:18,560 testing 465 00:15:18,560 --> 00:15:21,040 helps you get into it more quickly but 466 00:15:21,040 --> 00:15:22,639 even if you're doing some quick checks 467 00:15:22,639 --> 00:15:24,320 you're going back to double check things 468 00:15:24,320 --> 00:15:26,000 it's always good to save 469 00:15:26,000 --> 00:15:28,720 those burp files to a project folder 470 00:15:28,720 --> 00:15:30,079 just so you can go back and reference 471 00:15:30,079 --> 00:15:30,720 them 472 00:15:30,720 --> 00:15:32,320 and then obviously clear them out over 473 00:15:32,320 --> 00:15:34,320 time as you don't need them anymore 474 00:15:34,320 --> 00:15:35,920 but i can't tell you how many times i've 475 00:15:35,920 --> 00:15:37,600 gone back and had to retrieve some type 476 00:15:37,600 --> 00:15:39,759 of valuable information 477 00:15:39,759 --> 00:15:41,920 from those burp files that i wouldn't 478 00:15:41,920 --> 00:15:43,600 have had if i hadn't saved them 479 00:15:43,600 --> 00:15:45,279 so very simple but something that's 480 00:15:45,279 --> 00:15:46,800 really valuable as you go through and 481 00:15:46,800 --> 00:15:48,320 want to be more consistent in your 482 00:15:48,320 --> 00:15:50,720 testing 483 00:15:51,040 --> 00:15:54,560 additionally when 484 00:15:54,560 --> 00:15:57,600 you your organization finds in and 485 00:15:57,600 --> 00:16:00,560 sets up a set of valuable configurations 486 00:16:00,560 --> 00:16:01,920 um so things that you guys have 487 00:16:01,920 --> 00:16:03,360 collected over time 488 00:16:03,360 --> 00:16:06,000 or things that you want your entire team 489 00:16:06,000 --> 00:16:06,880 to use 490 00:16:06,880 --> 00:16:10,079 um little quality of life changes even 491 00:16:10,079 --> 00:16:13,120 these things should really be saved into 492 00:16:13,120 --> 00:16:15,440 configuration settings and reused so you 493 00:16:15,440 --> 00:16:17,279 can export these from burp suite 494 00:16:17,279 --> 00:16:21,040 as project options or user options 495 00:16:21,040 --> 00:16:22,639 and there's different options that apply 496 00:16:22,639 --> 00:16:24,560 to a project versus a user 497 00:16:24,560 --> 00:16:26,000 um so there's some slight differences 498 00:16:26,000 --> 00:16:28,240 there but these things can really speed 499 00:16:28,240 --> 00:16:28,560 up 500 00:16:28,560 --> 00:16:30,160 your startup time when you're beginning 501 00:16:30,160 --> 00:16:31,600 a test and make sure you don't 502 00:16:31,600 --> 00:16:34,000 forget anything that's really important 503 00:16:34,000 --> 00:16:36,160 so under project options you know we use 504 00:16:36,160 --> 00:16:37,759 this for things like your custom burp 505 00:16:37,759 --> 00:16:38,639 collaborator 506 00:16:38,639 --> 00:16:40,639 um so if you leverage a custom 507 00:16:40,639 --> 00:16:42,079 collaborator such that 508 00:16:42,079 --> 00:16:44,079 you own the host that all of your client 509 00:16:44,079 --> 00:16:45,920 traffic is flowing to and from 510 00:16:45,920 --> 00:16:47,440 um you want to make sure that that's 511 00:16:47,440 --> 00:16:48,839 configured every time you do an 512 00:16:48,839 --> 00:16:50,000 assessment 513 00:16:50,000 --> 00:16:52,639 additionally under user options there's 514 00:16:52,639 --> 00:16:54,160 things that can just be 515 00:16:54,160 --> 00:16:55,440 you know simple quality of life 516 00:16:55,440 --> 00:16:56,959 improvements to make things a little bit 517 00:16:56,959 --> 00:16:59,040 faster a little bit less painful 518 00:16:59,040 --> 00:17:01,199 you can change your backup frequency so 519 00:17:01,199 --> 00:17:02,880 i think by default it's something like 520 00:17:02,880 --> 00:17:04,640 60 or 90 minutes burp's going to do an 521 00:17:04,640 --> 00:17:05,839 automatic backup 522 00:17:05,839 --> 00:17:07,359 i think there's a lot of value in that i 523 00:17:07,359 --> 00:17:09,439 like the automatic backup feature 524 00:17:09,439 --> 00:17:11,280 but a lot of times i will increase that 525 00:17:11,280 --> 00:17:13,760 time period to something like 120 or 180 526 00:17:13,760 --> 00:17:17,119 minutes just so it's less disruptive 527 00:17:17,119 --> 00:17:19,039 additionally things like disabling your 528 00:17:19,039 --> 00:17:20,880 proxy on startup so you're not 529 00:17:20,880 --> 00:17:22,720 automatically intercepting traffic 530 00:17:22,720 --> 00:17:24,880 and wondering why your your webpage 531 00:17:24,880 --> 00:17:26,400 keeps freezing i know that's happened to 532 00:17:26,400 --> 00:17:27,679 me several times 533 00:17:27,679 --> 00:17:29,360 uh make sure that that's disabled on 534 00:17:29,360 --> 00:17:31,520 startup or configuring a socks proxy 535 00:17:31,520 --> 00:17:32,799 that you leverage every time you do 536 00:17:32,799 --> 00:17:34,720 testing so if you have specific testing 537 00:17:34,720 --> 00:17:36,480 instances where you need to proxy your 538 00:17:36,480 --> 00:17:37,840 traffic through 539 00:17:37,840 --> 00:17:39,919 for web applications you can save all 540 00:17:39,919 --> 00:17:41,440 that and just load that as 541 00:17:41,440 --> 00:17:47,039 a configuration file the next time 542 00:17:47,039 --> 00:17:50,080 also within burp um there are some 543 00:17:50,080 --> 00:17:53,039 um amazing capabilities you have at your 544 00:17:53,039 --> 00:17:54,880 fingertips with extensions 545 00:17:54,880 --> 00:17:56,960 um and new ones just continue to roll 546 00:17:56,960 --> 00:17:59,919 out that i find more value in every day 547 00:17:59,919 --> 00:18:01,200 so a couple of the 548 00:18:01,200 --> 00:18:03,679 common ones that i use um are things 549 00:18:03,679 --> 00:18:05,919 like active scan plus plus 550 00:18:05,919 --> 00:18:07,840 this just extends all the scanning 551 00:18:07,840 --> 00:18:09,280 checks that burp uses 552 00:18:09,280 --> 00:18:11,280 helps to identify some things that 553 00:18:11,280 --> 00:18:13,520 there's value in as an attacker but that 554 00:18:13,520 --> 00:18:15,360 burp won't look for natively 555 00:18:15,360 --> 00:18:17,280 so things like suspicious input 556 00:18:17,280 --> 00:18:18,799 transformations 557 00:18:18,799 --> 00:18:21,520 host header attacks little things like 558 00:18:21,520 --> 00:18:22,480 that 559 00:18:22,480 --> 00:18:25,919 um additionally beyond active scan plus 560 00:18:25,919 --> 00:18:26,320 plus 561 00:18:26,320 --> 00:18:29,520 there's j2ee scan this just provides 562 00:18:29,520 --> 00:18:30,960 some additional coverage for 563 00:18:30,960 --> 00:18:32,559 vulnerabilities that are specific to 564 00:18:32,559 --> 00:18:34,480 certain frameworks so things like jboss 565 00:18:34,480 --> 00:18:37,520 struts grails and it does provide some 566 00:18:37,520 --> 00:18:39,280 tools to exploit those vulnerabilities 567 00:18:39,280 --> 00:18:40,559 if they're found as well 568 00:18:40,559 --> 00:18:44,480 um so it you know really just provides a 569 00:18:44,480 --> 00:18:46,320 thin layer of extra checks that you 570 00:18:46,320 --> 00:18:47,200 don't really have to do anything 571 00:18:47,200 --> 00:18:48,480 additional it'll just look for that 572 00:18:48,480 --> 00:18:50,880 stuff in the background 573 00:18:50,880 --> 00:18:52,880 probably most importantly is logger plus 574 00:18:52,880 --> 00:18:54,559 plus so this 575 00:18:54,559 --> 00:18:56,000 really extends burp's logging 576 00:18:56,000 --> 00:18:58,160 capabilities in such a way that makes 577 00:18:58,160 --> 00:18:58,559 the 578 00:18:58,559 --> 00:19:00,720 uh request and response logging more 579 00:19:00,720 --> 00:19:02,720 valuable so this is really really useful 580 00:19:02,720 --> 00:19:04,240 for troubleshooting or tracking 581 00:19:04,240 --> 00:19:06,400 responses when you're doing scanning 582 00:19:06,400 --> 00:19:08,559 so a lot of times if you're doing a scan 583 00:19:08,559 --> 00:19:10,080 it's really difficult to see 584 00:19:10,080 --> 00:19:12,720 if what kind of responses you're getting 585 00:19:12,720 --> 00:19:13,840 maybe if you're 586 00:19:13,840 --> 00:19:15,520 accidentally timed out or your 587 00:19:15,520 --> 00:19:17,120 authentication macro isn't working 588 00:19:17,120 --> 00:19:17,919 properly 589 00:19:17,919 --> 00:19:19,760 logger plus plus kind of fills that gap 590 00:19:19,760 --> 00:19:22,000 and gives you more ready access 591 00:19:22,000 --> 00:19:25,039 to to burp logs 592 00:19:25,039 --> 00:19:26,720 and then there's a ton of other 593 00:19:26,720 --> 00:19:28,400 extensions to consider just based on 594 00:19:28,400 --> 00:19:29,679 your target 595 00:19:29,679 --> 00:19:31,440 so like i said this isn't going to be 596 00:19:31,440 --> 00:19:33,360 necessarily going into 597 00:19:33,360 --> 00:19:36,640 some specific extensions to use 598 00:19:36,640 --> 00:19:39,120 for for specific scenarios but there's 599 00:19:39,120 --> 00:19:40,880 tons of stuff that you can use like 600 00:19:40,880 --> 00:19:43,200 json web tokens is an extension that 601 00:19:43,200 --> 00:19:45,760 helps manipulate jwt's 602 00:19:45,760 --> 00:19:48,799 um java deserialization scanner 603 00:19:48,799 --> 00:19:50,640 is exactly what it sounds like but that 604 00:19:50,640 --> 00:19:53,360 will help you identify deserialization 605 00:19:53,360 --> 00:19:56,080 issues and then exploit those issues and 606 00:19:56,080 --> 00:19:58,320 then things like graphql raider 607 00:19:58,320 --> 00:20:00,720 if you end up testing applications that 608 00:20:00,720 --> 00:20:02,400 leverage graphql 609 00:20:02,400 --> 00:20:04,000 that'll kind of ease that process as 610 00:20:04,000 --> 00:20:06,559 well so a ton of random stuff definitely 611 00:20:06,559 --> 00:20:08,559 go check out the 612 00:20:08,559 --> 00:20:12,080 the list in the burp application store 613 00:20:12,080 --> 00:20:15,199 within the extender tab 614 00:20:16,320 --> 00:20:18,320 another thing to consider so whenever 615 00:20:18,320 --> 00:20:19,679 you're doing testing you want to 616 00:20:19,679 --> 00:20:22,240 configure your scope every time 617 00:20:22,240 --> 00:20:24,159 and so this is something that is so 618 00:20:24,159 --> 00:20:26,159 simple it takes two seconds 619 00:20:26,159 --> 00:20:27,600 but you want to make sure you do this 620 00:20:27,600 --> 00:20:29,360 and use advanced scope control 621 00:20:29,360 --> 00:20:32,720 so you're not missing any sub domains or 622 00:20:32,720 --> 00:20:37,360 valuable information in your target tab 623 00:20:37,520 --> 00:20:40,240 but you're not collecting extra 624 00:20:40,240 --> 00:20:41,520 additional information that you have to 625 00:20:41,520 --> 00:20:42,240 sift through 626 00:20:42,240 --> 00:20:43,679 let's just basically make sure that 627 00:20:43,679 --> 00:20:45,600 you're only seeing things that are in 628 00:20:45,600 --> 00:20:46,240 scope 629 00:20:46,240 --> 00:20:48,320 based on what you define here and you're 630 00:20:48,320 --> 00:20:49,919 not getting anything extra that muddies 631 00:20:49,919 --> 00:20:52,799 up the information 632 00:20:55,440 --> 00:20:58,320 another thing to consider here is we 633 00:20:58,320 --> 00:21:00,480 need to use a browser to send traffic 634 00:21:00,480 --> 00:21:01,600 through burp obviously 635 00:21:01,600 --> 00:21:04,880 so we have two distinct options 636 00:21:04,880 --> 00:21:07,280 um on the left you'll see the first 637 00:21:07,280 --> 00:21:08,080 option and 638 00:21:08,080 --> 00:21:09,600 you know i'm a huge fan of it now that 639 00:21:09,600 --> 00:21:11,120 it's become more stable 640 00:21:11,120 --> 00:21:13,840 is burp's embedded browser so this is 641 00:21:13,840 --> 00:21:16,480 very easy from your 642 00:21:16,480 --> 00:21:18,960 proxy tab you can simply open a browser 643 00:21:18,960 --> 00:21:20,159 it's dedicated 644 00:21:20,159 --> 00:21:21,840 it automatically proxys things through 645 00:21:21,840 --> 00:21:23,840 burp it automatically uses burp ca 646 00:21:23,840 --> 00:21:25,520 certificate so there's really no other 647 00:21:25,520 --> 00:21:27,120 setup you need to do 648 00:21:27,120 --> 00:21:29,200 it's the easy button and you can still 649 00:21:29,200 --> 00:21:30,159 do other things 650 00:21:30,159 --> 00:21:32,880 in your other browsers um without 651 00:21:32,880 --> 00:21:34,559 proxying that traffic through burp so if 652 00:21:34,559 --> 00:21:35,120 you're doing 653 00:21:35,120 --> 00:21:37,280 multitasking doing other things this is 654 00:21:37,280 --> 00:21:38,960 super convenient 655 00:21:38,960 --> 00:21:40,799 if you do still want to use another 656 00:21:40,799 --> 00:21:42,320 browser rather than burp's embedded 657 00:21:42,320 --> 00:21:42,799 browser 658 00:21:42,799 --> 00:21:43,919 then you've just got to make sure you 659 00:21:43,919 --> 00:21:46,159 have a way to quickly proxy traffic 660 00:21:46,159 --> 00:21:46,960 through burp 661 00:21:46,960 --> 00:21:49,440 so i use foxy proxy in those cases to 662 00:21:49,440 --> 00:21:50,960 make it really easy to turn my 663 00:21:50,960 --> 00:21:52,400 intercepting proxy on and off in the 664 00:21:52,400 --> 00:21:53,440 browser 665 00:21:53,440 --> 00:21:55,360 and then make sure you install burp ca 666 00:21:55,360 --> 00:21:57,200 certificate or else you can run into a 667 00:21:57,200 --> 00:21:58,320 lot of strange 668 00:21:58,320 --> 00:22:01,200 issues with trust 669 00:22:02,400 --> 00:22:06,720 so finally to summarize um 670 00:22:06,720 --> 00:22:09,120 burp suite pro or whatever intercepting 671 00:22:09,120 --> 00:22:10,400 proxy you're using 672 00:22:10,400 --> 00:22:12,320 consider some quick checks before 673 00:22:12,320 --> 00:22:14,400 getting started just to make things or 674 00:22:14,400 --> 00:22:15,600 make sure things are going to go as 675 00:22:15,600 --> 00:22:18,320 smoothly as possible so remember to save 676 00:22:18,320 --> 00:22:19,600 your project to disk 677 00:22:19,600 --> 00:22:22,159 loader save configs so you can reuse 678 00:22:22,159 --> 00:22:23,600 them be more consistent 679 00:22:23,600 --> 00:22:25,200 leverage extensions to make sure you're 680 00:22:25,200 --> 00:22:27,280 not missing anything in your testing 681 00:22:27,280 --> 00:22:29,200 configure scope so you're only seeing 682 00:22:29,200 --> 00:22:30,480 what you want to see 683 00:22:30,480 --> 00:22:33,440 within your burp application and then 684 00:22:33,440 --> 00:22:34,720 make sure you configure 685 00:22:34,720 --> 00:22:36,720 the browser or use a browser that will 686 00:22:36,720 --> 00:22:39,280 proxy your traffic smoothly 687 00:22:39,280 --> 00:22:41,919 and then you know profit so this way 688 00:22:41,919 --> 00:22:43,120 everything that you're doing during 689 00:22:43,120 --> 00:22:45,039 testing should be flowing through burp 690 00:22:45,039 --> 00:22:47,120 um and that way you won't miss anything 691 00:22:47,120 --> 00:22:48,720 um whether you're doing a web 692 00:22:48,720 --> 00:22:50,000 application penetration test 693 00:22:50,000 --> 00:22:50,960 specifically 694 00:22:50,960 --> 00:22:52,480 um or other types of testing we're 695 00:22:52,480 --> 00:22:53,919 looking at an application for maybe a 696 00:22:53,919 --> 00:22:56,960 small a shorter check 697 00:22:57,600 --> 00:22:59,760 all right so now let's jump into actual 698 00:22:59,760 --> 00:23:00,720 testing here so 699 00:23:00,720 --> 00:23:03,760 first is unauthenticated testing and 700 00:23:03,760 --> 00:23:06,799 at this phase of the project our goal 701 00:23:06,799 --> 00:23:09,200 is to gain access to the application 702 00:23:09,200 --> 00:23:10,880 without using any credentials we are 703 00:23:10,880 --> 00:23:11,760 provided 704 00:23:11,760 --> 00:23:13,520 or find sensitive information that 705 00:23:13,520 --> 00:23:15,120 shouldn't be exposed so this could be 706 00:23:15,120 --> 00:23:16,559 information that 707 00:23:16,559 --> 00:23:18,320 is sensitive in nature that may be a 708 00:23:18,320 --> 00:23:20,400 risk on its own or it may help us 709 00:23:20,400 --> 00:23:23,520 in future attacks and i break this down 710 00:23:23,520 --> 00:23:24,240 into four 711 00:23:24,240 --> 00:23:27,520 primary pieces or steps here so the 712 00:23:27,520 --> 00:23:28,000 first 713 00:23:28,000 --> 00:23:31,600 is ocean plenty of people have done 714 00:23:31,600 --> 00:23:33,840 plenty of talks on the specifics here so 715 00:23:33,840 --> 00:23:35,200 i don't want to dive too far into the 716 00:23:35,200 --> 00:23:37,919 weeds of what ozin is or how you do it 717 00:23:37,919 --> 00:23:40,640 but you know to be honest for web app 718 00:23:40,640 --> 00:23:42,960 testing it isn't always a gold mine 719 00:23:42,960 --> 00:23:44,320 so it's something to consider it's 720 00:23:44,320 --> 00:23:45,200 certainly something you don't want to 721 00:23:45,200 --> 00:23:46,480 skip over 722 00:23:46,480 --> 00:23:48,720 but it may not be incredibly valuable 723 00:23:48,720 --> 00:23:50,159 depending on the context of the 724 00:23:50,159 --> 00:23:51,520 assessment 725 00:23:51,520 --> 00:23:54,080 so it can do things like provide context 726 00:23:54,080 --> 00:23:56,640 into the organization's business itself 727 00:23:56,640 --> 00:23:59,279 maybe information about how they operate 728 00:23:59,279 --> 00:24:01,919 or what they use this application for 729 00:24:01,919 --> 00:24:03,600 this could give you a hint as far as 730 00:24:03,600 --> 00:24:05,360 what's most critical within the 731 00:24:05,360 --> 00:24:07,279 application or what should be a biggest 732 00:24:07,279 --> 00:24:09,120 consideration 733 00:24:09,120 --> 00:24:10,480 and it could be helpful as you're trying 734 00:24:10,480 --> 00:24:12,559 to determine impact and risk of specific 735 00:24:12,559 --> 00:24:15,360 vulnerabilities 736 00:24:15,840 --> 00:24:20,559 otherwise it often provides 737 00:24:20,559 --> 00:24:22,880 hints into application architecture as 738 00:24:22,880 --> 00:24:26,000 well so when you're doing oscent 739 00:24:26,000 --> 00:24:28,559 maybe you want to look at linkedin or 740 00:24:28,559 --> 00:24:30,480 job descriptions as they have posted to 741 00:24:30,480 --> 00:24:32,080 help fill in some of the blanks as far 742 00:24:32,080 --> 00:24:34,240 as what application architecture you're 743 00:24:34,240 --> 00:24:35,279 looking at 744 00:24:35,279 --> 00:24:37,760 this could give you some indication of 745 00:24:37,760 --> 00:24:39,679 what types of operating systems are in 746 00:24:39,679 --> 00:24:40,320 use 747 00:24:40,320 --> 00:24:42,640 whether they use any containerization 748 00:24:42,640 --> 00:24:44,840 like docker or kubernetes 749 00:24:44,840 --> 00:24:47,200 um and it could fill in some of the 750 00:24:47,200 --> 00:24:47,919 blanks 751 00:24:47,919 --> 00:24:49,520 if we don't find that information at 752 00:24:49,520 --> 00:24:51,919 later phases and then finally uh you 753 00:24:51,919 --> 00:24:53,600 know gathering emails and usernames 754 00:24:53,600 --> 00:24:55,120 could come in handy 755 00:24:55,120 --> 00:24:57,520 i don't always do this right off the bat 756 00:24:57,520 --> 00:24:59,600 unless i have some kind of target 757 00:24:59,600 --> 00:25:00,960 but it can't be useful if you find 758 00:25:00,960 --> 00:25:03,279 somewhere to launch password attacks 759 00:25:03,279 --> 00:25:06,480 or if you need to consider any other 760 00:25:06,480 --> 00:25:08,400 types of back doors that may be in scope 761 00:25:08,400 --> 00:25:09,919 for the application 762 00:25:09,919 --> 00:25:12,000 try and find usernames or credentials to 763 00:25:12,000 --> 00:25:15,840 use there 764 00:25:16,480 --> 00:25:18,480 and so next step is to evaluate the 765 00:25:18,480 --> 00:25:20,080 network layer i feel like this is often 766 00:25:20,080 --> 00:25:21,120 forgotten 767 00:25:21,120 --> 00:25:22,799 or completely bypassed when you're doing 768 00:25:22,799 --> 00:25:25,120 an application level assessment 769 00:25:25,120 --> 00:25:26,559 but i've definitely had luck here in the 770 00:25:26,559 --> 00:25:28,720 past so it's really not something you 771 00:25:28,720 --> 00:25:30,000 should completely ignore 772 00:25:30,000 --> 00:25:32,159 when you're conduct excuse me when 773 00:25:32,159 --> 00:25:34,240 you're conducting a holistic assessment 774 00:25:34,240 --> 00:25:35,840 you've really got to start at the bottom 775 00:25:35,840 --> 00:25:37,679 and work your way up um 776 00:25:37,679 --> 00:25:38,960 you know you don't have to do anything 777 00:25:38,960 --> 00:25:40,640 fancy here i'm just really talking about 778 00:25:40,640 --> 00:25:41,600 an nmap scan 779 00:25:41,600 --> 00:25:43,600 to help identify what other ports and 780 00:25:43,600 --> 00:25:46,080 services may be available on the host 781 00:25:46,080 --> 00:25:48,159 and then check into those to see if 782 00:25:48,159 --> 00:25:49,919 there's any potential attack surface we 783 00:25:49,919 --> 00:25:51,200 need to consider 784 00:25:51,200 --> 00:25:52,640 so we're just basically checking to see 785 00:25:52,640 --> 00:25:54,080 if there are any side doors or back 786 00:25:54,080 --> 00:25:55,600 doors that may be open 787 00:25:55,600 --> 00:25:57,360 and then whatever you do find from an 788 00:25:57,360 --> 00:25:59,120 nmap scan you want to manually interact 789 00:25:59,120 --> 00:26:00,159 with those services 790 00:26:00,159 --> 00:26:01,760 and try to identify vulnerabilities 791 00:26:01,760 --> 00:26:04,000 there look for vulnerable versions of 792 00:26:04,000 --> 00:26:05,200 software maybe 793 00:26:05,200 --> 00:26:06,960 try password attacks if you see 794 00:26:06,960 --> 00:26:09,039 something like ssh 795 00:26:09,039 --> 00:26:10,400 open with username and password 796 00:26:10,400 --> 00:26:13,120 permitted maybe try uh 797 00:26:13,120 --> 00:26:15,039 authentication bypasses or password 798 00:26:15,039 --> 00:26:17,039 attacks on like a tomcat login or 799 00:26:17,039 --> 00:26:18,080 something 800 00:26:18,080 --> 00:26:21,120 on a dish on like port 843 maybe 801 00:26:21,120 --> 00:26:25,120 any of these can help to either confirm 802 00:26:25,120 --> 00:26:28,240 attack or confirm architecture excuse me 803 00:26:28,240 --> 00:26:30,159 of the application itself 804 00:26:30,159 --> 00:26:32,320 or they could provide additional avenues 805 00:26:32,320 --> 00:26:35,520 of attack that we want to explore 806 00:26:36,559 --> 00:26:39,279 so we've covered ocean we've covered the 807 00:26:39,279 --> 00:26:40,720 network layer we're continuing to work 808 00:26:40,720 --> 00:26:42,480 our way up and now we're starting to try 809 00:26:42,480 --> 00:26:43,919 and identify the application 810 00:26:43,919 --> 00:26:45,520 architecture itself 811 00:26:45,520 --> 00:26:47,360 um so this is the part where you really 812 00:26:47,360 --> 00:26:49,600 want to gather as much information about 813 00:26:49,600 --> 00:26:50,559 the application 814 00:26:50,559 --> 00:26:52,960 as possible and start creating kind of a 815 00:26:52,960 --> 00:26:53,600 mind map 816 00:26:53,600 --> 00:26:55,760 understanding how the application 817 00:26:55,760 --> 00:26:58,720 functions and what pieces exist 818 00:26:58,720 --> 00:27:00,640 really really simple but i like 819 00:27:00,640 --> 00:27:02,080 wapalizer 820 00:27:02,080 --> 00:27:04,240 as part of as a browser add-on that 821 00:27:04,240 --> 00:27:05,919 basically helps to quickly identify 822 00:27:05,919 --> 00:27:07,840 these technologies and versions 823 00:27:07,840 --> 00:27:10,000 this is like my very very first most 824 00:27:10,000 --> 00:27:11,279 basic check when i look at an 825 00:27:11,279 --> 00:27:12,080 application 826 00:27:12,080 --> 00:27:13,760 it just automatically scrapes the page 827 00:27:13,760 --> 00:27:15,360 for artifacts that indicate which 828 00:27:15,360 --> 00:27:17,039 services or libraries are in use 829 00:27:17,039 --> 00:27:18,559 it'll tell you the version numbers if it 830 00:27:18,559 --> 00:27:21,679 finds them really really simple stuff 831 00:27:21,679 --> 00:27:25,200 but can help speed up the process 832 00:27:26,640 --> 00:27:29,200 in addition so you know as you start 833 00:27:29,200 --> 00:27:30,159 making this 834 00:27:30,159 --> 00:27:32,320 this map or as you start mapping out the 835 00:27:32,320 --> 00:27:34,159 application infrastructure 836 00:27:34,159 --> 00:27:36,960 um you want to figure out or get a good 837 00:27:36,960 --> 00:27:37,600 assumption 838 00:27:37,600 --> 00:27:39,440 about different portions of the 839 00:27:39,440 --> 00:27:40,640 environment just so you know what you're 840 00:27:40,640 --> 00:27:41,440 working with 841 00:27:41,440 --> 00:27:43,440 and this is going to help inform testing 842 00:27:43,440 --> 00:27:45,120 later on in the process 843 00:27:45,120 --> 00:27:48,720 so from your browser to the web server 844 00:27:48,720 --> 00:27:50,559 first of all what web server is being 845 00:27:50,559 --> 00:27:52,080 used 846 00:27:52,080 --> 00:27:55,039 based on that web server do we have any 847 00:27:55,039 --> 00:27:55,919 indication 848 00:27:55,919 --> 00:27:58,159 of the os that's being used or where 849 00:27:58,159 --> 00:27:59,039 it's hosted 850 00:27:59,039 --> 00:28:00,559 do we know if it's in azure do we know 851 00:28:00,559 --> 00:28:02,399 if it's in aws 852 00:28:02,399 --> 00:28:04,640 you know do we see any any artifacts 853 00:28:04,640 --> 00:28:05,679 that could indicate they're using 854 00:28:05,679 --> 00:28:07,200 containerization services like i 855 00:28:07,200 --> 00:28:09,120 mentioned 856 00:28:09,120 --> 00:28:13,200 beyond that you could start to 857 00:28:13,200 --> 00:28:14,799 guess different parts of the 858 00:28:14,799 --> 00:28:16,240 architecture right so 859 00:28:16,240 --> 00:28:20,640 maybe in certain scenarios we see a 860 00:28:20,960 --> 00:28:23,840 net application right that's that's uh 861 00:28:23,840 --> 00:28:25,360 very likely hosted 862 00:28:25,360 --> 00:28:28,000 on a windows operating system because we 863 00:28:28,000 --> 00:28:30,720 see it's using the iis web server 864 00:28:30,720 --> 00:28:33,600 while we now have a pretty decent guess 865 00:28:33,600 --> 00:28:35,039 about in most scenarios what the 866 00:28:35,039 --> 00:28:36,720 database type will be 867 00:28:36,720 --> 00:28:39,120 probably 75 to 80 of the time it's going 868 00:28:39,120 --> 00:28:41,039 to be a microsoft sql database being 869 00:28:41,039 --> 00:28:42,080 used 870 00:28:42,080 --> 00:28:44,159 on the flip side if we see other 871 00:28:44,159 --> 00:28:45,679 indicators maybe that could 872 00:28:45,679 --> 00:28:47,279 be a guess that you know yeah it's 873 00:28:47,279 --> 00:28:49,279 probably not microsoft sql this might be 874 00:28:49,279 --> 00:28:50,399 my sequel or might be 875 00:28:50,399 --> 00:28:52,159 oracle database or postgres something 876 00:28:52,159 --> 00:28:53,919 like that these little things are just 877 00:28:53,919 --> 00:28:55,279 assumptions we want to start trying to 878 00:28:55,279 --> 00:28:57,679 make in addition 879 00:28:57,679 --> 00:29:00,159 what is processing our data or request 880 00:29:00,159 --> 00:29:01,200 for the application 881 00:29:01,200 --> 00:29:03,200 um is it being processed by the front 882 00:29:03,200 --> 00:29:05,840 end itself like a like an aspx page 883 00:29:05,840 --> 00:29:07,840 where the front end is doing the heavy 884 00:29:07,840 --> 00:29:09,919 lifting lifting and the data processing 885 00:29:09,919 --> 00:29:12,159 or is it like a thin client front end 886 00:29:12,159 --> 00:29:14,080 where there's really an api that's doing 887 00:29:14,080 --> 00:29:16,240 all the heavy lifting in between 888 00:29:16,240 --> 00:29:18,240 um is that on a subdomain what what does 889 00:29:18,240 --> 00:29:19,520 that look like where how does that 890 00:29:19,520 --> 00:29:20,559 traffic flow 891 00:29:20,559 --> 00:29:21,840 so we're starting to build this out in 892 00:29:21,840 --> 00:29:24,080 our mind we're trying to make make 893 00:29:24,080 --> 00:29:27,120 make educated guesses or or assumptions 894 00:29:27,120 --> 00:29:30,080 about the architecture that's in place 895 00:29:30,080 --> 00:29:32,240 but beyond just the architecture itself 896 00:29:32,240 --> 00:29:34,320 and what types of servers are in use 897 00:29:34,320 --> 00:29:36,720 what types of of 898 00:29:36,720 --> 00:29:38,559 what pieces of the application may be 899 00:29:38,559 --> 00:29:40,159 there we also want to know what's 900 00:29:40,159 --> 00:29:41,279 sitting in between 901 00:29:41,279 --> 00:29:43,760 us and the web server um so this these 902 00:29:43,760 --> 00:29:45,120 are just things that we have to account 903 00:29:45,120 --> 00:29:46,399 for during our testing 904 00:29:46,399 --> 00:29:48,080 so this might be a web application 905 00:29:48,080 --> 00:29:50,320 firewall that could be 906 00:29:50,320 --> 00:29:51,840 killing our requests something like 907 00:29:51,840 --> 00:29:53,440 cloudflare something like 908 00:29:53,440 --> 00:29:57,200 aws's waff there are 909 00:29:57,200 --> 00:29:59,039 going to be certain things that could 910 00:29:59,039 --> 00:30:00,960 kill our traffic before it even reaches 911 00:30:00,960 --> 00:30:02,240 the web server 912 00:30:02,240 --> 00:30:03,919 so if we identify that there's a laugh 913 00:30:03,919 --> 00:30:05,679 in place 914 00:30:05,679 --> 00:30:07,840 maybe that's going to affect how our 915 00:30:07,840 --> 00:30:09,760 requests are processed 916 00:30:09,760 --> 00:30:11,840 is there a load balancer in place this 917 00:30:11,840 --> 00:30:13,039 could tell us things like 918 00:30:13,039 --> 00:30:15,679 if we're seeing differences in response 919 00:30:15,679 --> 00:30:16,880 headers 920 00:30:16,880 --> 00:30:21,200 or if we're seeing different 921 00:30:21,200 --> 00:30:23,840 changes to our traffic as it goes to and 922 00:30:23,840 --> 00:30:24,640 from the server 923 00:30:24,640 --> 00:30:26,159 there may be a load balancer that's in 924 00:30:26,159 --> 00:30:27,760 the middle there and that's kind of 925 00:30:27,760 --> 00:30:28,640 changing 926 00:30:28,640 --> 00:30:31,760 how it handles the traffic 927 00:30:34,559 --> 00:30:36,320 so finally we're doing an authenticated 928 00:30:36,320 --> 00:30:37,600 testing we want to evaluate the 929 00:30:37,600 --> 00:30:40,080 application content itself 930 00:30:40,080 --> 00:30:42,720 um once we get to the application 931 00:30:42,720 --> 00:30:44,080 content itself 932 00:30:44,080 --> 00:30:45,760 this is again really we're getting more 933 00:30:45,760 --> 00:30:47,600 into that traditional 934 00:30:47,600 --> 00:30:50,000 web application process at this point 935 00:30:50,000 --> 00:30:51,919 but we're trying to identify 936 00:30:51,919 --> 00:30:53,840 again any sensitive information that may 937 00:30:53,840 --> 00:30:55,440 be disclosed 938 00:30:55,440 --> 00:30:57,600 this can be through things like direct 939 00:30:57,600 --> 00:30:58,880 rebrute forcing 940 00:30:58,880 --> 00:31:00,720 maybe we're looking at the http response 941 00:31:00,720 --> 00:31:02,240 headers in our proxy that we've got 942 00:31:02,240 --> 00:31:04,080 maybe we see code comments that we see 943 00:31:04,080 --> 00:31:06,000 from the responses in our proxy 944 00:31:06,000 --> 00:31:07,279 we're going to be looking at the account 945 00:31:07,279 --> 00:31:09,519 registration processes forgot password 946 00:31:09,519 --> 00:31:11,760 processes authentication processes 947 00:31:11,760 --> 00:31:13,279 all these things that are traditionally 948 00:31:13,279 --> 00:31:15,120 exposed if they're 949 00:31:15,120 --> 00:31:17,600 available to us we're going to be 950 00:31:17,600 --> 00:31:19,120 assessing them for things like username 951 00:31:19,120 --> 00:31:19,919 enumeration 952 00:31:19,919 --> 00:31:22,159 uh password reset weaknesses password 953 00:31:22,159 --> 00:31:23,840 policies 954 00:31:23,840 --> 00:31:25,600 and then of course things like injection 955 00:31:25,600 --> 00:31:27,840 on on inputs maybe sqlite or bypass 956 00:31:27,840 --> 00:31:29,919 authentication little things like that 957 00:31:29,919 --> 00:31:32,480 but at this point in that process you're 958 00:31:32,480 --> 00:31:34,320 really looking to evaluate anything that 959 00:31:34,320 --> 00:31:35,200 is exposed 960 00:31:35,200 --> 00:31:38,960 prior to authenticating and then 961 00:31:38,960 --> 00:31:40,720 any other vulnerabilities at this point 962 00:31:40,720 --> 00:31:42,399 so you know if you're scanning inputs 963 00:31:42,399 --> 00:31:44,240 and you see other vulnerabilities that 964 00:31:44,240 --> 00:31:46,000 may be based on the specific target 965 00:31:46,000 --> 00:31:48,720 application architecture we want to test 966 00:31:48,720 --> 00:31:49,760 all those that don't require 967 00:31:49,760 --> 00:31:52,640 authentication as well 968 00:31:54,480 --> 00:31:57,760 moving into the login process so at this 969 00:31:57,760 --> 00:31:58,640 point 970 00:31:58,640 --> 00:32:00,240 we've tested the application as an 971 00:32:00,240 --> 00:32:02,159 authenticated attacker now we want to 972 00:32:02,159 --> 00:32:03,600 use the credentials that we've been 973 00:32:03,600 --> 00:32:04,640 given 974 00:32:04,640 --> 00:32:06,960 in order to evaluate the login process 975 00:32:06,960 --> 00:32:08,640 to get into the application 976 00:32:08,640 --> 00:32:10,240 so at this point i'm stepping through 977 00:32:10,240 --> 00:32:12,480 each request and response of the login 978 00:32:12,480 --> 00:32:13,679 event 979 00:32:13,679 --> 00:32:15,679 and really focus only on this attack 980 00:32:15,679 --> 00:32:17,919 surface so everything where it processes 981 00:32:17,919 --> 00:32:19,039 my credentials 982 00:32:19,039 --> 00:32:20,960 allows me into the application and 983 00:32:20,960 --> 00:32:23,200 issues me some kind of 984 00:32:23,200 --> 00:32:25,679 cookie or token to identify my session 985 00:32:25,679 --> 00:32:28,960 that's what i'm focused on here 986 00:32:28,960 --> 00:32:31,200 and so when i'm doing this it's more 987 00:32:31,200 --> 00:32:32,960 helpful to me to think about it in terms 988 00:32:32,960 --> 00:32:34,799 of what questions am i trying to answer 989 00:32:34,799 --> 00:32:37,360 as i evaluate it 990 00:32:37,360 --> 00:32:40,000 login processes can be so different it's 991 00:32:40,000 --> 00:32:42,640 really difficult to have a specific 992 00:32:42,640 --> 00:32:44,080 checklist because it's going to be 993 00:32:44,080 --> 00:32:46,080 you know you're going to kind of have to 994 00:32:46,080 --> 00:32:48,080 adjust based on how they handle 995 00:32:48,080 --> 00:32:49,600 authentication 996 00:32:49,600 --> 00:32:52,559 so you know everything from how do you 997 00:32:52,559 --> 00:32:52,880 log 998 00:32:52,880 --> 00:32:54,640 in how do you log out how do you change 999 00:32:54,640 --> 00:32:56,159 your password uh 1000 00:32:56,159 --> 00:32:58,159 does the application have username 1001 00:32:58,159 --> 00:33:00,880 enumeration that we were able to exploit 1002 00:33:00,880 --> 00:33:02,559 does the application support single 1003 00:33:02,559 --> 00:33:04,480 sign-on so if it does support single 1004 00:33:04,480 --> 00:33:05,200 sign-on 1005 00:33:05,200 --> 00:33:08,000 does it send you to a third party or is 1006 00:33:08,000 --> 00:33:09,600 it an on-prem sso and 1007 00:33:09,600 --> 00:33:12,480 is that in scope that could you know 1008 00:33:12,480 --> 00:33:14,240 really cut out a significant piece of 1009 00:33:14,240 --> 00:33:16,559 our assessment here if we're not able to 1010 00:33:16,559 --> 00:33:18,799 evaluate that single sign-on solution or 1011 00:33:18,799 --> 00:33:20,399 how that information is communicating 1012 00:33:20,399 --> 00:33:22,959 back and forth 1013 00:33:23,760 --> 00:33:25,360 are all the functions associated with 1014 00:33:25,360 --> 00:33:27,440 the login process encrypted very simple 1015 00:33:27,440 --> 00:33:28,000 but is 1016 00:33:28,000 --> 00:33:30,399 anything not flowing over https 1017 00:33:30,399 --> 00:33:31,200 basically 1018 00:33:31,200 --> 00:33:33,600 um are there any anti-automation tools 1019 00:33:33,600 --> 00:33:35,200 in place so this may require going back 1020 00:33:35,200 --> 00:33:37,120 and forth to the authentication process 1021 00:33:37,120 --> 00:33:38,080 obviously 1022 00:33:38,080 --> 00:33:40,000 but is there a captcha that's required 1023 00:33:40,000 --> 00:33:41,120 or is there an 1024 00:33:41,120 --> 00:33:43,039 account lockout that's in place is there 1025 00:33:43,039 --> 00:33:44,720 anti-brute forcing where maybe there's 1026 00:33:44,720 --> 00:33:47,279 ip lockouts 1027 00:33:47,279 --> 00:33:48,880 exponential back off all those different 1028 00:33:48,880 --> 00:33:50,799 kinds of things and then if you 1029 00:33:50,799 --> 00:33:53,200 do encounter a lockout is it sending an 1030 00:33:53,200 --> 00:33:54,640 email to the user 1031 00:33:54,640 --> 00:33:56,320 providing them a notification is there 1032 00:33:56,320 --> 00:33:57,679 any evidence that there's logging of 1033 00:33:57,679 --> 00:34:00,640 that event or anything like that 1034 00:34:00,640 --> 00:34:02,960 once you get into the application though 1035 00:34:02,960 --> 00:34:03,919 again 1036 00:34:03,919 --> 00:34:05,279 session management is very very 1037 00:34:05,279 --> 00:34:07,200 different different across the board 1038 00:34:07,200 --> 00:34:10,719 um so is it issuing you a cookie and 1039 00:34:10,719 --> 00:34:13,119 um if it does if it is issuing you a 1040 00:34:13,119 --> 00:34:14,960 cookie or some kind of token 1041 00:34:14,960 --> 00:34:17,280 is that a homegrown type of solution or 1042 00:34:17,280 --> 00:34:19,119 is it leveraging something that is built 1043 00:34:19,119 --> 00:34:20,159 in 1044 00:34:20,159 --> 00:34:23,199 so something like a php session id or an 1045 00:34:23,199 --> 00:34:25,040 aspx off cookie 1046 00:34:25,040 --> 00:34:27,359 those are built in using known good 1047 00:34:27,359 --> 00:34:28,320 libraries 1048 00:34:28,320 --> 00:34:29,839 so there's generally less attack surface 1049 00:34:29,839 --> 00:34:31,520 less to check there but if it's 1050 00:34:31,520 --> 00:34:32,719 something where you're not sure 1051 00:34:32,719 --> 00:34:34,719 or it looks like a custom solution then 1052 00:34:34,719 --> 00:34:35,918 you want to be looking for things like 1053 00:34:35,918 --> 00:34:37,679 the entropy of that 1054 00:34:37,679 --> 00:34:40,399 does it have cookie flags set on it how 1055 00:34:40,399 --> 00:34:42,399 is that session being managed so is 1056 00:34:42,399 --> 00:34:43,839 there a way to modify 1057 00:34:43,839 --> 00:34:46,560 any contents of the session or token is 1058 00:34:46,560 --> 00:34:47,359 there 1059 00:34:47,359 --> 00:34:51,119 a a new session id that's issued when a 1060 00:34:51,119 --> 00:34:54,399 user logs out for example um 1061 00:34:54,399 --> 00:34:58,079 and then for tokens 1062 00:34:58,079 --> 00:34:59,760 you have to consider any unique attack 1063 00:34:59,760 --> 00:35:01,280 surface there as well 1064 00:35:01,280 --> 00:35:03,760 json web tokens or jwts are becoming 1065 00:35:03,760 --> 00:35:05,680 extremely popular as an open source 1066 00:35:05,680 --> 00:35:06,880 standard 1067 00:35:06,880 --> 00:35:08,720 and so they have a lot of unique attack 1068 00:35:08,720 --> 00:35:10,400 surface that's outside the scope of this 1069 00:35:10,400 --> 00:35:11,200 presentation 1070 00:35:11,200 --> 00:35:12,560 but it's really really interesting if 1071 00:35:12,560 --> 00:35:13,839 you run across them so make sure you 1072 00:35:13,839 --> 00:35:14,960 dive into those 1073 00:35:14,960 --> 00:35:17,839 if you see them 1074 00:35:18,640 --> 00:35:20,240 and then finally jumping into 1075 00:35:20,240 --> 00:35:22,400 authenticated testing so the last piece 1076 00:35:22,400 --> 00:35:25,839 of the the tactical testing here 1077 00:35:25,839 --> 00:35:27,680 once we've completed testing the login 1078 00:35:27,680 --> 00:35:28,880 process 1079 00:35:28,880 --> 00:35:30,000 now we basically have to look at 1080 00:35:30,000 --> 00:35:32,000 everything else in the application so as 1081 00:35:32,000 --> 00:35:33,520 i mentioned earlier this is the bulk of 1082 00:35:33,520 --> 00:35:35,119 testing a lot of times 1083 00:35:35,119 --> 00:35:36,720 this is where you really got to check 1084 00:35:36,720 --> 00:35:38,560 all the features or all the elements of 1085 00:35:38,560 --> 00:35:39,520 an app 1086 00:35:39,520 --> 00:35:40,720 and this is where you're looking for 1087 00:35:40,720 --> 00:35:43,599 those exciting exploits most times so 1088 00:35:43,599 --> 00:35:46,720 injection points file uploads 1089 00:35:46,720 --> 00:35:48,720 any type of parameter tampering things 1090 00:35:48,720 --> 00:35:50,160 like that 1091 00:35:50,160 --> 00:35:53,200 and the goal here is to again get access 1092 00:35:53,200 --> 00:35:54,560 sensitive information you otherwise 1093 00:35:54,560 --> 00:35:55,680 shouldn't have 1094 00:35:55,680 --> 00:35:57,520 escalate your privileges in order to 1095 00:35:57,520 --> 00:35:59,599 gain access to more sensitive features 1096 00:35:59,599 --> 00:36:01,680 or or functionality you shouldn't 1097 00:36:01,680 --> 00:36:03,280 or take over the underlying host 1098 00:36:03,280 --> 00:36:05,760 ultimately 1099 00:36:10,240 --> 00:36:12,400 and so when you're jumping into testing 1100 00:36:12,400 --> 00:36:14,480 the authenticated portion of an app 1101 00:36:14,480 --> 00:36:15,920 this is where a lot of people get really 1102 00:36:15,920 --> 00:36:17,520 overwhelmed really quickly 1103 00:36:17,520 --> 00:36:18,960 um so this is where it's important to 1104 00:36:18,960 --> 00:36:21,760 try and have a plan and stick to it 1105 00:36:21,760 --> 00:36:25,520 so for me i follow a couple rules as i'm 1106 00:36:25,520 --> 00:36:27,119 assessing an application 1107 00:36:27,119 --> 00:36:28,880 that are you know loose it can change 1108 00:36:28,880 --> 00:36:31,040 from time to time but i generally focus 1109 00:36:31,040 --> 00:36:33,040 on testing from the least privileged 1110 00:36:33,040 --> 00:36:35,040 account to the most privileged account 1111 00:36:35,040 --> 00:36:38,560 um and this is order in order to 1112 00:36:38,560 --> 00:36:40,320 again focus on the things that are most 1113 00:36:40,320 --> 00:36:42,640 impactful first so if there's a sql 1114 00:36:42,640 --> 00:36:43,599 injection for 1115 00:36:43,599 --> 00:36:46,880 a free registered user that gives 1116 00:36:46,880 --> 00:36:48,400 full access to the database that's going 1117 00:36:48,400 --> 00:36:50,320 to be more impactful than a sql 1118 00:36:50,320 --> 00:36:50,960 injection 1119 00:36:50,960 --> 00:36:54,320 as an employee administrator for example 1120 00:36:54,320 --> 00:36:55,920 it's also a little bit easier to sift 1121 00:36:55,920 --> 00:36:58,160 through what functionality within the 1122 00:36:58,160 --> 00:36:58,880 application 1123 00:36:58,880 --> 00:37:01,839 is accessible to a low-level user versus 1124 00:37:01,839 --> 00:37:04,400 an administrative user 1125 00:37:04,400 --> 00:37:06,480 i also test features in kind of the same 1126 00:37:06,480 --> 00:37:08,000 way so i'm testing features 1127 00:37:08,000 --> 00:37:10,240 in order of highest potential impact for 1128 00:37:10,240 --> 00:37:11,359 the organization 1129 00:37:11,359 --> 00:37:13,119 so i try and look through and understand 1130 00:37:13,119 --> 00:37:15,040 the application and as i'm looking 1131 00:37:15,040 --> 00:37:16,560 through i see what i want to target 1132 00:37:16,560 --> 00:37:18,400 first or what features or areas of the 1133 00:37:18,400 --> 00:37:18,800 function 1134 00:37:18,800 --> 00:37:20,480 of the functionality i want to target 1135 00:37:20,480 --> 00:37:22,800 first so 1136 00:37:22,800 --> 00:37:24,400 maybe i want to look at where sensitive 1137 00:37:24,400 --> 00:37:26,000 data is stored within the application 1138 00:37:26,000 --> 00:37:27,680 first or how it's manipulated 1139 00:37:27,680 --> 00:37:30,320 for a healthcare you know sas product 1140 00:37:30,320 --> 00:37:32,400 ephi disclosure is going to be really 1141 00:37:32,400 --> 00:37:34,160 really important so i'll probably focus 1142 00:37:34,160 --> 00:37:34,400 on 1143 00:37:34,400 --> 00:37:37,119 any areas where i find that first you 1144 00:37:37,119 --> 00:37:39,359 know whereas for an e-commerce website 1145 00:37:39,359 --> 00:37:40,880 i'll probably be looking at the cart 1146 00:37:40,880 --> 00:37:43,440 first maybe how users payment card 1147 00:37:43,440 --> 00:37:44,720 details are stored 1148 00:37:44,720 --> 00:37:47,119 or if they're stored things like that so 1149 00:37:47,119 --> 00:37:48,720 you really want to adjust and focus on 1150 00:37:48,720 --> 00:37:50,000 the highest potential impact 1151 00:37:50,000 --> 00:37:51,599 so you can really make the most of your 1152 00:37:51,599 --> 00:37:53,839 testing 1153 00:37:53,839 --> 00:37:56,000 additionally you may need to jump back 1154 00:37:56,000 --> 00:37:58,400 and forth as you're testing 1155 00:37:58,400 --> 00:38:01,599 to in order to 1156 00:38:01,599 --> 00:38:03,040 get full coverage and make sure you're 1157 00:38:03,040 --> 00:38:04,880 checking everything so what do i mean by 1158 00:38:04,880 --> 00:38:06,240 this 1159 00:38:06,240 --> 00:38:08,320 when you log in as one user you may need 1160 00:38:08,320 --> 00:38:10,000 to grab identifiers 1161 00:38:10,000 --> 00:38:12,800 names you know different accounts to 1162 00:38:12,800 --> 00:38:13,520 target 1163 00:38:13,520 --> 00:38:15,359 so you can check that when you're logged 1164 00:38:15,359 --> 00:38:16,560 in as a different user 1165 00:38:16,560 --> 00:38:18,480 so if i want to move laterally i'll log 1166 00:38:18,480 --> 00:38:20,640 in as one user to get ids 1167 00:38:20,640 --> 00:38:23,280 or or you know particular data that i 1168 00:38:23,280 --> 00:38:24,320 want to try and access 1169 00:38:24,320 --> 00:38:25,760 and then log out and log in as a 1170 00:38:25,760 --> 00:38:27,680 different user and check whether i can 1171 00:38:27,680 --> 00:38:28,960 access that data 1172 00:38:28,960 --> 00:38:30,320 same thing applies for when you're 1173 00:38:30,320 --> 00:38:32,079 trying to access 1174 00:38:32,079 --> 00:38:34,000 administrative functionality as a lower 1175 00:38:34,000 --> 00:38:35,280 level user 1176 00:38:35,280 --> 00:38:37,119 if you're trying to change parameters 1177 00:38:37,119 --> 00:38:38,480 and access features 1178 00:38:38,480 --> 00:38:39,599 you may not even know they're there 1179 00:38:39,599 --> 00:38:41,200 until you log into the administrative 1180 00:38:41,200 --> 00:38:42,560 user and then you'll have to go back and 1181 00:38:42,560 --> 00:38:43,280 check for them 1182 00:38:43,280 --> 00:38:44,880 so just keep in mind that testing is a 1183 00:38:44,880 --> 00:38:47,440 loop um and when you're doing that 1184 00:38:47,440 --> 00:38:49,920 it can be hard to keep track of features 1185 00:38:49,920 --> 00:38:50,480 for 1186 00:38:50,480 --> 00:38:52,160 you know that one account has access to 1187 00:38:52,160 --> 00:38:53,760 versus another 1188 00:38:53,760 --> 00:38:56,079 um from most of most of the time for 1189 00:38:56,079 --> 00:38:57,280 small applications 1190 00:38:57,280 --> 00:38:58,800 i'll do this by hand and create kind of 1191 00:38:58,800 --> 00:39:01,440 a list of what one user can access but 1192 00:39:01,440 --> 00:39:02,480 another user can't 1193 00:39:02,480 --> 00:39:04,240 but for larger apps you can definitely 1194 00:39:04,240 --> 00:39:05,760 use built-in tools 1195 00:39:05,760 --> 00:39:07,359 like burps compare sitemaps 1196 00:39:07,359 --> 00:39:09,440 functionality so you can basically 1197 00:39:09,440 --> 00:39:12,320 browse to the application as one user 1198 00:39:12,320 --> 00:39:14,160 log out browse the application as 1199 00:39:14,160 --> 00:39:15,760 another user and another instance of 1200 00:39:15,760 --> 00:39:16,800 burp and contain 1201 00:39:16,800 --> 00:39:19,200 compare the site maps of the two to very 1202 00:39:19,200 --> 00:39:21,520 easily identify what one user has access 1203 00:39:21,520 --> 00:39:22,960 to but the other user doesn't or 1204 00:39:22,960 --> 00:39:25,760 shouldn't at least 1205 00:39:27,599 --> 00:39:29,920 and so as you're doing this testing as 1206 00:39:29,920 --> 00:39:31,599 you're going through all of this testing 1207 00:39:31,599 --> 00:39:33,200 and looking for things like parameter 1208 00:39:33,200 --> 00:39:35,280 tampering or looking for things like 1209 00:39:35,280 --> 00:39:39,280 um you know cross-site scripting 1210 00:39:39,280 --> 00:39:41,839 you've got to keep context in mind more 1211 00:39:41,839 --> 00:39:43,520 importantly here than in any other type 1212 00:39:43,520 --> 00:39:45,359 of assessment 1213 00:39:45,359 --> 00:39:46,960 you've got to make sure you're looking 1214 00:39:46,960 --> 00:39:49,280 for the right types of vulnerabilities 1215 00:39:49,280 --> 00:39:50,960 you know it doesn't make sense to look 1216 00:39:50,960 --> 00:39:52,640 for a polar bear in the rain forest 1217 00:39:52,640 --> 00:39:55,520 basically what i'm saying here is if no 1218 00:39:55,520 --> 00:39:57,440 input is being sent to the back end 1219 00:39:57,440 --> 00:39:59,920 don't bother checking for sql injection 1220 00:39:59,920 --> 00:40:01,760 if there's not a templating engine in 1221 00:40:01,760 --> 00:40:02,880 use for example 1222 00:40:02,880 --> 00:40:04,480 there's not going to be server-side 1223 00:40:04,480 --> 00:40:06,000 template injection 1224 00:40:06,000 --> 00:40:07,920 so many times i've seen testers that 1225 00:40:07,920 --> 00:40:09,040 want to look for these 1226 00:40:09,040 --> 00:40:11,200 really crazy vulnerabilities and look to 1227 00:40:11,200 --> 00:40:13,280 take over an underlying host 1228 00:40:13,280 --> 00:40:15,119 but there's no file upload functionality 1229 00:40:15,119 --> 00:40:16,800 for example so you're really 1230 00:40:16,800 --> 00:40:18,319 kind of barking up the wrong tree and 1231 00:40:18,319 --> 00:40:19,520 putting all your eggs in the wrong 1232 00:40:19,520 --> 00:40:21,119 basket 1233 00:40:21,119 --> 00:40:22,720 so just keep that in mind as you're 1234 00:40:22,720 --> 00:40:25,839 going through a web application 1235 00:40:26,160 --> 00:40:28,240 and then one final note here on 1236 00:40:28,240 --> 00:40:30,720 authenticated testing so 1237 00:40:30,720 --> 00:40:32,720 as i mentioned we really didn't go into 1238 00:40:32,720 --> 00:40:34,960 any details on specific vulnerabilities 1239 00:40:34,960 --> 00:40:36,400 or what specific 1240 00:40:36,400 --> 00:40:39,440 issues to check for but as you're going 1241 00:40:39,440 --> 00:40:41,200 through and doing manual testing 1242 00:40:41,200 --> 00:40:42,480 you still want to make sure you're 1243 00:40:42,480 --> 00:40:45,040 scanning with burp um or whatever 1244 00:40:45,040 --> 00:40:47,040 active scanning tool you're using as you 1245 00:40:47,040 --> 00:40:48,160 go through because this is really going 1246 00:40:48,160 --> 00:40:49,520 to cover a lot of fuzzing 1247 00:40:49,520 --> 00:40:51,520 you know vulnerability checks trying to 1248 00:40:51,520 --> 00:40:53,119 induce useful errors that you can 1249 00:40:53,119 --> 00:40:55,280 analyze 1250 00:40:55,280 --> 00:40:56,640 you still want to make sure you're doing 1251 00:40:56,640 --> 00:40:58,880 that and so as you do that 1252 00:40:58,880 --> 00:41:00,319 the important thing i want to note here 1253 00:41:00,319 --> 00:41:02,480 is not to just click 1254 00:41:02,480 --> 00:41:05,040 click go and throw an application scan 1255 00:41:05,040 --> 00:41:05,760 at 1256 00:41:05,760 --> 00:41:07,440 the entire web application tree for 1257 00:41:07,440 --> 00:41:09,599 example you know you don't want to do an 1258 00:41:09,599 --> 00:41:11,200 active scan of every single thing in 1259 00:41:11,200 --> 00:41:11,599 your 1260 00:41:11,599 --> 00:41:14,400 in your target map within burp suite not 1261 00:41:14,400 --> 00:41:15,920 only is this going to be really really 1262 00:41:15,920 --> 00:41:17,200 inefficient 1263 00:41:17,200 --> 00:41:18,880 but it can get really messy within the 1264 00:41:18,880 --> 00:41:20,880 application so you could end up masking 1265 00:41:20,880 --> 00:41:22,960 real findings with garbage input 1266 00:41:22,960 --> 00:41:25,040 or you could be missing stuff you know 1267 00:41:25,040 --> 00:41:26,960 if you scan all these things at once and 1268 00:41:26,960 --> 00:41:28,079 the scan fails 1269 00:41:28,079 --> 00:41:30,160 you have absolutely no idea how far it 1270 00:41:30,160 --> 00:41:32,720 got or where the scan started to fail 1271 00:41:32,720 --> 00:41:35,280 or if you got de-auth for example you're 1272 00:41:35,280 --> 00:41:36,560 never going to know so you're going to 1273 00:41:36,560 --> 00:41:38,960 be missing pieces of things 1274 00:41:38,960 --> 00:41:41,119 so for me and one of the most important 1275 00:41:41,119 --> 00:41:42,640 things i do as i'm going through and 1276 00:41:42,640 --> 00:41:44,640 trying to scan an application 1277 00:41:44,640 --> 00:41:49,040 is to be a little bit more selective 1278 00:41:49,040 --> 00:41:50,240 about how i do that 1279 00:41:50,240 --> 00:41:53,839 so i configure my scanner i have a 1280 00:41:53,839 --> 00:41:55,760 specifically configured scanning profile 1281 00:41:55,760 --> 00:41:57,359 which for you guys the most important 1282 00:41:57,359 --> 00:41:58,960 thing there is just to make sure you're 1283 00:41:58,960 --> 00:42:00,640 doing a thorough scan within burp suite 1284 00:42:00,640 --> 00:42:01,440 because that will do 1285 00:42:01,440 --> 00:42:04,480 all of the checks for vulnerabilities 1286 00:42:04,480 --> 00:42:07,280 but also to aim it at specific 1287 00:42:07,280 --> 00:42:08,560 parameters 1288 00:42:08,560 --> 00:42:11,280 and when i say aim it so i'm basically 1289 00:42:11,280 --> 00:42:12,000 looking at 1290 00:42:12,000 --> 00:42:14,240 particular requests of interest and i'm 1291 00:42:14,240 --> 00:42:16,400 choosing which parameters i scan 1292 00:42:16,400 --> 00:42:17,760 rather than scanning all of the 1293 00:42:17,760 --> 00:42:19,599 parameters associated with with a 1294 00:42:19,599 --> 00:42:21,359 particular request 1295 00:42:21,359 --> 00:42:23,040 and you know maybe i'll scan all the 1296 00:42:23,040 --> 00:42:24,480 parameters once or i'll scan certain 1297 00:42:24,480 --> 00:42:26,720 parameters once but on subsequent tests 1298 00:42:26,720 --> 00:42:27,680 or when i'm looking at different 1299 00:42:27,680 --> 00:42:29,520 requests with the same parameters 1300 00:42:29,520 --> 00:42:30,960 i'm only going to look at the ones that 1301 00:42:30,960 --> 00:42:33,760 are of high value or of interest to me 1302 00:42:33,760 --> 00:42:34,880 the ones that i know that are being 1303 00:42:34,880 --> 00:42:37,040 processed by the back end for example 1304 00:42:37,040 --> 00:42:39,520 or ones that are particular fields that 1305 00:42:39,520 --> 00:42:41,359 might be interesting 1306 00:42:41,359 --> 00:42:44,000 and by doing this not only is scanning 1307 00:42:44,000 --> 00:42:46,079 going to complete a lot faster 1308 00:42:46,079 --> 00:42:48,319 with a lot less errors we're not going 1309 00:42:48,319 --> 00:42:50,000 to overwhelm the application with too 1310 00:42:50,000 --> 00:42:51,200 many requests 1311 00:42:51,200 --> 00:42:53,119 any issues we run into during scanning 1312 00:42:53,119 --> 00:42:54,160 we're going to be able to quickly 1313 00:42:54,160 --> 00:42:57,440 identify them and know where to restart 1314 00:42:57,440 --> 00:42:58,800 all any issues we have are just going to 1315 00:42:58,800 --> 00:43:02,000 be localized effects 1316 00:43:02,079 --> 00:43:03,520 and so if you're not familiar with how 1317 00:43:03,520 --> 00:43:05,359 to do that within burp here's just a 1318 00:43:05,359 --> 00:43:07,760 quick screenshot to cover it 1319 00:43:07,760 --> 00:43:10,240 on a request you can see at the very top 1320 00:43:10,240 --> 00:43:11,839 you can just scan something 1321 00:43:11,839 --> 00:43:13,440 broadly and that's going to hit every 1322 00:43:13,440 --> 00:43:15,839 single header every single cookie 1323 00:43:15,839 --> 00:43:17,440 every single parameter within the 1324 00:43:17,440 --> 00:43:20,880 request what i do instead is i send a 1325 00:43:20,880 --> 00:43:22,560 request to intruder 1326 00:43:22,560 --> 00:43:24,720 and then within tr within intruder i 1327 00:43:24,720 --> 00:43:26,960 mark the specific parameters that are of 1328 00:43:26,960 --> 00:43:28,400 interest to me 1329 00:43:28,400 --> 00:43:30,480 and then i scan those defined insertion 1330 00:43:30,480 --> 00:43:31,760 points 1331 00:43:31,760 --> 00:43:33,760 and again by doing this i'm scanning in 1332 00:43:33,760 --> 00:43:35,760 bite-sized pieces i get results a lot 1333 00:43:35,760 --> 00:43:36,800 more quickly 1334 00:43:36,800 --> 00:43:38,839 and i make sure i don't overwhelm the 1335 00:43:38,839 --> 00:43:41,839 application 1336 00:43:42,079 --> 00:43:44,240 and so to wrap up our high-level process 1337 00:43:44,240 --> 00:43:47,440 here with q a and reporting 1338 00:43:47,440 --> 00:43:49,200 so the goal here is at this point in the 1339 00:43:49,200 --> 00:43:50,800 project is really just to make sure that 1340 00:43:50,800 --> 00:43:52,160 every vulnerability is reported 1341 00:43:52,160 --> 00:43:53,599 accurately 1342 00:43:53,599 --> 00:43:55,440 and you're giving organizations enough 1343 00:43:55,440 --> 00:43:57,440 information to fix these issues 1344 00:43:57,440 --> 00:44:00,560 so you know again nothing exciting or 1345 00:44:00,560 --> 00:44:02,160 sexy here we're really just kind of 1346 00:44:02,160 --> 00:44:03,599 covering this for completeness 1347 00:44:03,599 --> 00:44:04,720 but you want to make sure you've got 1348 00:44:04,720 --> 00:44:06,240 full coverage in your testing of the 1349 00:44:06,240 --> 00:44:07,359 application 1350 00:44:07,359 --> 00:44:08,720 make sure you didn't miss any major 1351 00:44:08,720 --> 00:44:10,800 portions or major features that could be 1352 00:44:10,800 --> 00:44:13,280 considered critical 1353 00:44:13,280 --> 00:44:16,000 beyond that you also want to make sure 1354 00:44:16,000 --> 00:44:17,599 you identified key strengths 1355 00:44:17,599 --> 00:44:20,319 alongside weaknesses during your testing 1356 00:44:20,319 --> 00:44:21,520 you want to be realistic 1357 00:44:21,520 --> 00:44:23,119 in how you're ranking risks for the 1358 00:44:23,119 --> 00:44:24,560 organization you know if you call 1359 00:44:24,560 --> 00:44:25,599 everything you're critical 1360 00:44:25,599 --> 00:44:26,800 uh they're not going to know how to 1361 00:44:26,800 --> 00:44:28,319 prioritize their efforts they're not 1362 00:44:28,319 --> 00:44:30,079 going to know what to really focus on 1363 00:44:30,079 --> 00:44:31,440 so make sure the criticals are really 1364 00:44:31,440 --> 00:44:33,200 critical and others are are 1365 00:44:33,200 --> 00:44:36,480 just ranked lower um and then ultimately 1366 00:44:36,480 --> 00:44:37,839 make sure all of your findings that you 1367 00:44:37,839 --> 00:44:40,319 are reporting regardless of criticality 1368 00:44:40,319 --> 00:44:43,119 are are clear and detailed enough for a 1369 00:44:43,119 --> 00:44:45,200 developer to be able to fix them 1370 00:44:45,200 --> 00:44:47,119 our goal as penetration testers is 1371 00:44:47,119 --> 00:44:48,480 obviously to create more secure 1372 00:44:48,480 --> 00:44:49,359 applications 1373 00:44:49,359 --> 00:44:50,720 and if developers don't know how to go 1374 00:44:50,720 --> 00:44:52,319 back into an application and fix these 1375 00:44:52,319 --> 00:44:53,359 things 1376 00:44:53,359 --> 00:44:54,720 then there's going to be problems we're 1377 00:44:54,720 --> 00:44:56,079 going to see the same vulnerabilities 1378 00:44:56,079 --> 00:44:58,000 pop back up again 1379 00:44:58,000 --> 00:45:00,800 in future tests 1380 00:45:01,760 --> 00:45:05,040 and finally just to wrap us up here so 1381 00:45:05,040 --> 00:45:07,200 ultimately the whole point of this talk 1382 00:45:07,200 --> 00:45:08,240 is to 1383 00:45:08,240 --> 00:45:10,480 make web application penetration testing 1384 00:45:10,480 --> 00:45:12,319 more organized and more approachable for 1385 00:45:12,319 --> 00:45:13,520 everyone 1386 00:45:13,520 --> 00:45:15,839 so everybody loves to talk about the os 1387 00:45:15,839 --> 00:45:17,440 top 10 but for testers that really 1388 00:45:17,440 --> 00:45:18,720 doesn't do you much good when you're 1389 00:45:18,720 --> 00:45:20,079 trying to figure out how to approach an 1390 00:45:20,079 --> 00:45:21,599 application 1391 00:45:21,599 --> 00:45:23,280 so hopefully now i know this was really 1392 00:45:23,280 --> 00:45:24,800 high level there's definitely 1393 00:45:24,800 --> 00:45:26,960 room for more detail and a lot of these 1394 00:45:26,960 --> 00:45:28,400 different sections that could be entire 1395 00:45:28,400 --> 00:45:29,760 talks of their own 1396 00:45:29,760 --> 00:45:31,599 but hopefully you now have a repeatable 1397 00:45:31,599 --> 00:45:33,440 process for any time you come across 1398 00:45:33,440 --> 00:45:36,319 apps whether that is with web 1399 00:45:36,319 --> 00:45:38,240 application testing specifically 1400 00:45:38,240 --> 00:45:40,240 or in other types of application testing 1401 00:45:40,240 --> 00:45:42,079 where there's a web application as part 1402 00:45:42,079 --> 00:45:42,480 of the 1403 00:45:42,480 --> 00:45:45,760 attack surface and for defenders now you 1404 00:45:45,760 --> 00:45:48,160 have a little bit of an idea about how 1405 00:45:48,160 --> 00:45:50,079 penetration testers or attackers are 1406 00:45:50,079 --> 00:45:51,839 going to think about applications they 1407 00:45:51,839 --> 00:45:54,319 come across 1408 00:45:55,839 --> 00:45:57,760 all right and as i mentioned earlier i 1409 00:45:57,760 --> 00:45:59,119 recorded this talk so i will be 1410 00:45:59,119 --> 00:46:00,160 available on 1411 00:46:00,160 --> 00:46:02,800 twitter or discord at any point to 1412 00:46:02,800 --> 00:46:04,480 answer any questions that may come up or 1413 00:46:04,480 --> 00:46:05,920 to go into more detail 1414 00:46:05,920 --> 00:46:09,119 because i know this was a really small 1415 00:46:09,119 --> 00:46:10,720 time window in to fit everything you 1416 00:46:10,720 --> 00:46:12,000 want to know about web application 1417 00:46:12,000 --> 00:46:13,599 penetration testing 1418 00:46:13,599 --> 00:46:14,800 so if you want to have a further 1419 00:46:14,800 --> 00:46:16,319 conversation about any of these topics 1420 00:46:16,319 --> 00:46:18,240 i'd love to just reach out to me 1421 00:46:18,240 --> 00:46:23,919 thanks everyone for your time