LtR101: Web Application Testing Methodologies

I get loads of messages on various mediums each week asking about how to get into information security & bug hunting. Queries range from how to do things through to...

2 years ago

Latest Post Leveraging Expression Language Injection (EL Injection) for RCE by Andy Gill

I get loads of messages on various mediums each week asking about how to get into information security & bug hunting. Queries range from how to do things through to how to get into the industry and where to start.

I started this series for those people, learning and wanting to learn more about this industry, what is involved and along the way give some practical tips and tricks. This post serves as one of the more practical ones, giving a rough check-list on items to cover off in penetration testing, the list is geared more towards pentesters in mind however it can be applied to bug bounty hunting too.

As I've learned over the past few years each person is different and will develop their own methodology of testing applications, however most will follow a rough structure on finding and enumerating apps. I stumbled across several lists and methodologies in my time testing however this is my take.

When testing applications it is important to have some form of methodology or check-list in place. It's not essential however it can be VERY useful, it allows the tester to go through all avenues looking for vulnerabilities and enumerate more and more.

The list below is by no means a complete methodology it has been adapted from the Web application hacker's handbook & other publications. It does however serve as a rough guideline on things to analyse and look for.

Reconnaissance

Access Control Testing

Input Validation and Handling

Application/Business Logic

Application Infrastructure

Miscellaneous tests

Now as stated in the intro this list is by no means a conclusive one, however hopefully it will allow you to build a better picture of what needs to be tested, what can be tested and when to include it. Your own methodology is up to you, it is your responsibility to test and then act/report on what you've found. If you've got any questions or queries tweet me.

Did you enjoy this? Check out the other #ltr101 posts here or consider buying my book.

Andy Gill

Published 2 years ago

Subscribe to our newsletter

Recieve news directly to your email.

ZeroSec - Adventures In Information Security © 2019.