LTR101: WebAppTesting - Methods to the Madness

Following my post on Web Application Testing Methodologies, I received a lot of feedback and requests to elaborate more on the methodology. As it is geared towards pentesters, some newbies...

2 years ago

Latest Post Leveraging Expression Language Injection (EL Injection) for RCE by Andy Gill

Following my post on Web Application Testing Methodologies, I received a lot of feedback and requests to elaborate more on the methodology. As it is geared towards pentesters, some newbies might not understand what things are or what tools can be used to achieve the goal.

I have tried my best to outline tools for each stage of methodology below and further reading for each. For those who haven't read the previous post about methodologies, the list below is by no means a complete methodology it has been adapted from the Web application hacker's handbook & other publications.

Additionally breaking down each stage with more information on how to do each check has been requested by several folks; these will make up future posts otherwise this will end up being massive!

Buckle up, it's going to be a long one ladies and gentlemen...

Recon Tooling

Access Control Testing

Authentication

The majority of this section is purely manual testing utilizing your common sense and eyes, does it look off? Should it be better? Point it out, tell your client if their password policy isn't up to scratch!

Input Validation

Application/Business Logic

Server/Application Infrastructure

Miscellaneous tests

Hopefully this post has been an insight into what to look for and how it can be looked for. Your own methodology is up to you, it is your responsibility to test and then act/report on what you've found.

As always if you've got any questions or queries tweet me

I will say one thing though, if you're going to ask questions, at least read the other posts on this blog before asking as they will answer 99% of queries.

Did you enjoy this? Check out the other #ltr101 posts here or consider buying my book.

Andy Gill

Published 2 years ago

Subscribe to our newsletter

Recieve news directly to your email.

ZeroSec - Adventures In Information Security © 2019.