Web app pentesting methodology

The following documentation provides a standard guideline for web application penetration testing engagements.

wstg/document/4-Web_Application_Security_Testing at master · OWASP/wstgGitHub

1

Reconnaisance/enumeration (active reconnaisance)

• 1.1 Directory discovery

Manual

• robots.txt

• sitemap.xml

Tools

• gobuster, wfuzz, ffuf, etc.

• ...

Wordlists

• usr/share/SecLists/Discovery/...

• /usr/share/wfuzz/...

Utilizing the word lists, common file extensions such as .txt, .php, .pdf, etc. can be appended to discover specific named files.

$ gobuster dir -w ... -u https://example.com/path/FUZZ.txt # .txt
$ gobuster dir -w ... -u https://example.com/path/FUZZ.php # .php

2

Exploitation techniques

• 2.1 XSS

• 2.2 Path traversal

• 2.3 SQL Injections

Common ways to find out if the application is using a SQL database:

a) Fuzz with a few common SQL Injection inputs and observer the response

b) ...

• 2.4 File upload vulnerabilities

a) Look for file upload features

b) Test with a valid input — observe the response

c) Test with malicious input such as .php extension — observe the response

...

• 2.5 Misconfigurations

a) Default credentials for common known services

b) ...

• 2.5 API hacking