Application Testing Methodology & Scope Based Recon
This talk is about how to organize your penetration testing with a proper methodology and ensure that how you maximize your potential attack surface. This will also enable you to understand more about Scope Based Recon tactics.
N T E S T I N G M E T H O D O L O G Y Define Target Scope Define Understand Application Business Logic Understand Prepare Threat Map Prepare Perform Scope Based Recon Perform Perform Manual Pentest Perform Perform Application Specific Attacks Perform Learn what you lack & hit back on the target Learn
I N G Verify Verify all these test cases while you perform assessment Create Create Possible C.I.A. & C.R.U.D Impact Scenario Write Write Theoretical Attack Scenario for Each Function List List All Component & Functionality Navigate Navigate Application
I N G A P P R O A C H Understand Application Flow Figure Out various possible Flows of same feature Try to break the application flow Test every possible test case for each individual functionality Do not miss any test case even if it’s complicated Rely less on tools, Proxy tool is good go. Learn and Hack
to discover & create a better attack surface! (We’ll see how) What is Recon ? • Increased Attack Surface == More Security Issues • Looking at less travelled road == More Success • Digging assets of your target to the deepest point possible. • Recon != Security Issues but increases probability of getting >> Security Issues. Why Recon? @harshbothra_
M Y T H S • Recon == Bugs • Recon == Asset Discovery == Increasing Attack Surface • Recon == Manual Approach • Best way to perform Recon is to use hybrid approach – Automation + Manual • Recon == Time Consuming • If performed properly & automated in right way, you can save a lot of time • Recon == Subdomain Enum, Whois, Port Scanning & Fuzzing, etc. • Ways to perform Recon is all about how creative you can be to identify assets and increase attack surface. However, the above mentioned are some well known methods. @harshbothra_
R E C O N • Scope Based Recon is a simply methodology to divide How to Perform when a specific set of Scope is Provided. • Scopes are divided into three categories: • Small Scope • Medium Scope • Large Scope • Why Scope Based Recon? • Saves a lot of time • You know what exactly to look for • You can easily automate your recon workflow • Less-chance to submit Out-of-Scope Issues • Just like other security methodologies enables you perform a better Recon @harshbothra_
Single URLs/Sandbox/QA/Staging Environment Small Scope • Specific set of “*.target.com” Medium Scope • Complete Internet presence including Acquisitions & Copyrights Large Scope @harshbothra_
R E C O N What to look for while performing Recon • Directory Enumeration/Bruteforcing • Service Enumeration • CVEs • Port Scanning • Broken Link Hijacking • JS Files for Hardcoded APIs & Secrets • Parameter Discovery • Wayback History & Waybackurls • Google Dork (Looking for Juicy Info related to Scope Domains) • Potential URL Extraction for Vulnerability Automation (GF Patterns + Automation Scripts) @harshbothra_
E R E C O N What to look for while Recon: • Subdomain Enumeration • Subdomain Takeovers • Misconfigured Third-Party Services • CVEs • Port Scanning • Misconfigured Storage Options (S3 Buckets) • Broken Link Hijacking • Directory Enumeration What to look for while Recon: • Service Enumeration • JS Files for Domains, Sensitive Information such as Hardcoded APIs & Secrets • GitHub Recon • Parameter Discovery • Wayback History & Waybackurls • Google Dork for Increasing Attack Surface • Internet Search Engine Discovery (Shodan, Censys, Fofa, BinaryEdge, Spyse Etc.) • Potential URL Extraction for Vulnerability Automation (GF Patterns + Automation Scripts) @harshbothra_
R E C O N • What to look for while Recon: • Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) • Subsidiary & Acquisition Enumeration (Depth – Max) • DNS & SSL Enumeration • CVEs • ASN & IP Space Enumeration and Service Identification • Subdomain Enumeration • Subdomain Takeovers • Misconfigured Third-Party Services • Misconfigured Storage Options (S3 Buckets) • Broken Link Hijacking • What to look for while Recon: • Directory Enumeration • Service Enumeration • JS Files for Domains, Sensitive Information such as Hardcoded APIs & Secrets • GitHub Recon • Parameter Discovery • Wayback History & Waybackurls • Google Dork for Increasing Attack Surface • Internet Search Engine Discovery (Shodan, Censys, Fofa, BinaryEdge, Spyse Etc.) • Potential URL Extraction for Vulnerability Automation (GF Patterns + Automation Scripts) • And any possible Recon Vector (Network/Web) can be applied. @harshbothra_
S I V E A P P R O A C H F O R R E C O N Choose Scope Based Recon Create a Script for Automating Scope Based Recon Run Automation Script over Cloud. Manually Recon (GitHub & Search Engine Dorking) while Automation Completes. Create Cron Jobs/Schedulers to Re-Run specific Recon task to identify the new assets. Implement alerts/push for Slack or preferred @harshbothra_