Mapping the Application: Summary
This week we have looked at our first stage of recon, and how we can map the application.
We have focused on Manually browsing the site, along with code review to help identify the sites visible content and functionality. This allows us to work out the application content, and start thinking about possible attack surfaces.
By gathering a list of endpoints, and the types of data we can submit to them, we can start to build an idea of how we might exploit them. Below is a (non exhaustive) list of things that we might Identify, and how we could use it as part of an exploit
| Item | Possible Exploit |
|---|---|
| Technologies used | Possible Exploits based on specific Technology and version |
| Database Interaction | SQL Injection |
| Displaying user supplied data | Cross Site Scripting / SSTI |
| Login Pages | Username Enumeration, password brute force |
| Sessions | Authentication Methods, Session Jacking |
| Error Messages | Information Leakage |
| Client Side Validation | Checks may not be applied on server |
| File Uploads | XSS, uploading Shells |
| Authorisation Methods | Privilege Escalation |
| API Use | Information Leakage |
| API Parameters | Database Structure |
| URL Parameters in Dynamic pages | Modify Functionality, Expose other areas of the site |
What else might we find useful
The list above has the main elements we might want to look for, without getting too specific. However, there are other more specialised areas we may want to consider.
Using the feed on aula, discuss: - Other items you think it may be helpful to identify. - Are are any attack types that we should consider also
We will collate them and discuss in the lab sessions.
The Lab
In the Lab this week we will go though the mapping process with an example site. You will also get the opportunity to try using some tools that help the mapping process.
Next Time
We haven't quite finished with recon yet.
While we have looked at getting data from the visible parts of the site, we still haven't found
all of the possible functionality.
Next week we will look at some ways of finding Hidden functionality.