Web Application Security Testing Method

Sakib Haque Zisan · Follow

9 min read · Aug 12, 2024

Hunt Bugs ! Test Vulnerabilities !

No Caption is available

Hi there, I’m Sakib Haque Zisan — Engineer | Pentester | Entrepreneur | Cyber

Security Instructor

It has always been my Passion to learn new things, explore new ideas and
thoughts and emphasized on self-development. It has always been my focus on
every available opportunity to improve myself skills. I want to pursue my goals
with dedication, sincerity, honesty and hard work.

Today I will discuss How I test vulnerabilities of a Target Website and what is my
Methodology. So Let’s START !!
Web Application Security Testing Method

M ethodology:

Recon

1. Footprinting Website [ Recon with OSINT ]

2. Recon with Browser Addons [ Finding Technology, Service information ]

3. Google Dorking

4. Github Dorking

5. Port Scanning

6. Finding DNS Information

7. Whois Lookup

8. WAF Identification

9. Shodan Dorking

Enumeration

1. Check Security Header Info

2. Subdomain Enumeration

3. Filtering Live Domains

4. URL Extraction

5. Content Discovery

6. Finding Parameters

7. Sorting URLs

Vulnerability Scanning

1. Automation in Vulnerability Scanning

 2. Scan Vulnerabilities manually through the testing methods of OWASP Top 10
Vulnerabilities Category.

3. Analyze Vulnerabilities Database.

So Now Let’s Start the Journey to find out the Bugs in our Target Website !!

Step 01 —

Footprinting Website

First of all, I would like to footprint my Target website through some reputed
methods and Techniques !!

1. Finding the Target Website’s IP through Website to IP lookup. [

Recommending https://www.nslookup.io/ ]

2. Finding out the X-Ray Vision for my Target Website [ Recommending

https://web-check.as93.net/ ]

3. Finding the Geographical Location of the Target [ Tools — Google Earth,

Google Maps, Wikimapia ]

4. Gathering information from Financial Services [ Tools — Google Finance, MSN

Money, Yahoo! Finance ]

5. Gathering Information from Business Profile Sites [ Tools — Crunchbase,

opencorporates, corporationwiki ]

6. Monitoring Target using Alerts [ Tools — Google Alerts, Twitter Alerts. Giga
Alerts ]

7. Tracking the Online Reputation of the Target [ Tools — Mention, ReviewPush,

Reputology ]

8. Gathering Information from Groups, Forums and Blogs

9. Gathering Information from Public Source Code Repositories [ Tools — Recon-

ng

10. Footprinting through Social Networking Sites. [ Facebook, Twitter, Linkedin

etc ]
11. Collecting Information through Social Engineering [ Collect information
about the users and employees interest , cookies, sensitive information ]

12. Analyze the Directory Structure of the Target Website [ Tools — Httrack ]

13. Find out the Archive and Analyze previous data [ Tools — ViewDns,
https://web.archive.org ]

14. Extracting Meta Data of the Public Documents [ Tools — Exitfool, Web Data
Extractor, Metagoofil ]

15. Extracting Website Links [ Tools — CeWL ]

16. Email Footprinting [ Tools — Infoga, eMailTracker Pro ]

Step 02 —

Recon with Browser Addons

Now Let’s Recon our Target Website through some Browser Addons !!

1. Finding the Technology which are used to build our Target Website [ Tools —
Wappalyzer, BuiltWith ]

2. Detect the use of JavaScript libraries with known vulnerabilities [ Tools —

Retire.js ]

3. Gather Information of Ports, Services and Server and Common Vulnerabilities

[ Tools — Shodan ]

4. Test Web Application [ Tools — Knoxx , HackTools ]

Step 03—

Google Dorking

site:target.com -site www.target.com

Online Resource:

– https://github.com/chr3st5an/Google-Dorking
— https://www.stationx.net/how-to-google-dork-a-specific-website/

Step 04 —

Github Dorking

Github Dorking !!

What you can find on Github?

• FTP Credentials
• Secret Keys [API_key, Aws_secret key, etc.]
• Internal credentials [Employee credentials]
• API Endpoints
• Domain Patterns

Go to github and search

Eg.
- “target.com” “dev”
- “dev.target.com”
- “target.com” API_key
- “target.com” password
- “api.target.com”

Step 05—

Port Scanning

Now Let’s Scan the Ports of our Target Website through some necessary tools so
that we can find out the way of Attacking !! Haha..

Tools in Scanning Ports —

1. Nmap [ https://www.stationx.net/nmap-cheat-sheet/ ]

2. UnicornScan [ https://0xsp.com/offensive/offensive-cheatsheet/ ]

3. Angry IP Scan [ https://0xsp.com/offensive/offensive-cheatsheet/ ]

4. Netcat [ https://0xsp.com/offensive/offensive-cheatsheet/ ]
Step 06 —

Finding DNS Information

Tools in finding DNS Information —

 1. Dig [ https://sid4hack.medium.com/decoding-dns-penetration-testers-journey-
with-dig-7cb9845e6215 ]

2. DNS Lookup

3. MxToolbox

4. Nslookup

5. Viewdns

Step 07 —

Whois Lookup

Find out the Domain’s Information by using Whois Lookup. Link —

https://www.whois.com/whois/

Step 08—

WAF Identification

In this case we need to identify our Target website is WAF Protected or Not. That’s
why can use 2 different tools to complete the same task.
 1. Wafw00f [ https://github.com/EnableSecurity/wafw00f ]

2. WhatWaf [ https://github.com/Ekultek/WhatWaf ]

Step 09 —

Shodan Dorking

Shodan is a search engine for Internet-connected devices. It is different from

search engines like Google and Bing because Google and Bing are great for
finding websites but Shodan helps in finding different things like popular
versions of Microsoft IIS, control servers for Malware, how many host are affected
with the new CVEs, which countries are becoming more connected, SSL
certificates of the websites etc.

How to use CLI Based version (Basics) ?

I would like to suggest — Follow this Tutorial https://youtu.be/v2EdwgX72PQ?

si=BedrWedKxxuy3cSk

Step 10 —

Check Security Header Info

HTTP Security Response Headers Cheat Sheet —

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html

Step 11 —

Subdomain Enumeration

Let’s discuss the top 10 subdomain search tools that can help you discover
subdomains.

1. Sublist3r [ Python tool that leverages multiple search engines to enumerate

subdomains for a given domain. ]

2. Amass [ Open-source tool for passive reconnaissance that discovers

subdomains, IP addresses, and other related information. ]
 3. Subfinder [ Subdomain discovery tool that uses multiple sources, including
search engines and certificate transparency logs. ]

4. Censys [ A search engine that provides access to a large and up-to-date

database of internet hosts, including subdomains. ]

5. Assetnote [ A tool for asset discovery and monitoring, helping with subdomain
identification and tracking changes over time. ]

6. Findomain [ Cross-platform subdomain enumerator that uses various sources

to identify subdomains. ]

7. SecurityTrails [ Offers a comprehensive DNS database to discover

subdomains, IP histories, and other related information. ]

8. Knockpy [ Python tool that uses multiple sources to gather subdomain

information for a target domain. ]

9. DNSDumpster [ An online tool that provides DNS reconnaissance services,

including subdomain discovery. ]

10. Aquatone [ A tool that helps visualize and gather information about domains,
including subdomains, by combining techniques like screenshotting. ]

Step 12—

Filtering Live Domains

There is a tool called HTTPX, which is used to check Subdomains are Active or Not
and there are multiple methods to use this tool. We will see the simple method
only.

▶ Enumerate/Collect all subdomains using tools like subfinder, assetfinder,

Knockpy and haktrails, etc.

Run : subfinder -d someweb.com -o subf.txt -v

Run : echo “someweb.com” | haktrails subdomains > haksubs.txt

Run : assetfinder -subs-only someweb.com > asset.txt

▶ Add all Enumerated/Collected subdomains from different tools in different files
into one file with unique subdomains, that may be subdomains.txt

Run : cat subf.txt haksubs.txt asset.txt | sort -u > subdomains.txt

▶ Now, will check the identified subdomains are active or not -

Run : httpx -l subdomains.txt -o activesubs.txt -threads 200 -status-code -follow-

redirects

▶ You’ll able to see the active subdomains only, on which you can start finding
bugs and all.

-Another Tools is Reconftw

Step 13—

URL Extraction

Here are some useful tools to perform this method —

1. Httpx

2. WaybackURLs

Step 14—

Content Discovery

Here are some useful tools to perform this method —

1. Httpx

2. Gobuster

3. Dirbuster

Step 15—

Finding Parameters
We are going to enumerate a web application to find out hidden parameters of the
Target website,

Here are some useful tools to perform this method —

1. Arjun Tool

2. ParamSpider

3. WaybackURL

Step 16—

Sorting URLs

GF tool is a powerful command-line utility that acts as a wrapper around the grep
command, providing additional functionality and convenience for searching and
filtering text.

Link — https://github.com/tomnomnom/gf

Step 17—

Automation in Vulnerability Scanning

1. Nessus — Nessus is a remote security scanning tool, which scans a computer

and raises an alert if it discovers any vulnerabilities that malicious hackers
could use to gain access to any computer you have connected to a network.

Using Process — https://youtu.be/Gy-aPBb0djk?si=OsjRy9uiPXt_oTT6

2. Burpsuite — Burp Suite is an integrated platform/graphical tool for performing

security testing of web applications. Its various tools work seamlessly together to
support the entire testing process, from initial mapping and analysis of an
application’s attack surface, through to finding and exploiting security
vulnerabilities.

Using Process — https://www.youtube.com/watch?v=hY_gzrTMn3U&list=PLwO5-

rumi8A7TVRzfOD4OHabwJ0v1ZA81
3. ZAP — OWASP ZAP is a penetration testing tool that helps developers and
security professionals detect and find vulnerabilities in web applications.

Using Process — https://www.youtube.com/watch?

v=bf2YuqgaeWo&list=PLH8n_ayg-60J9i3nsLybper-DR3zJw6Z5

4. Acunetix — Acunetix is an automated web application security testing tool that

audits your web applications by checking for vulnerabilities like SQL Injection,
Cross-site scripting, and other exploitable vulnerabilities.

Using Process — https://darkyolks.medium.com/vulnweb-lab-report-an-analysis-

of-vulnerabilities-on-the-web-c33472761913

5. SQLmap — SQLMAP is an open-source penetration tool. SQLMAP allows you to

automate the process of identifying and then exploiting SQL injection flaws and
subsequently taking control of the database servers. In addition, SQLMAP comes
with a detection engine that includes advanced features to support penetration
testing.

Using Process — https://www.youtube.com/watch?

v=nVj8MUKkzQk&list=PL_jb7LxOF7HVvkuovEnszsWayU_-NOtxx

6. WPScan — WPScan is an open-source WordPress security scanner. It is used to

scan WordPress websites for known vulnerabilities within the WordPress core and
WordPress plugins and themes. It also checks for weak passwords, exposed files,
and much more. Since it is a WordPress black box scanner, it mimics an actual
attacker

Using Process — https://youtu.be/zmK_hg6hIM0?si=jU9GSnO6vl8hnmSN

Step 18 —

Scan Vulnerabilities manually through the testing methods of OWASP Top 10

Vulnerabilities Category.

First of all let’s talk about the Category and Sub categories of the OWASP Top 10
Vulnerabilities because if you know what are the bugs, then you can exploit those
through your own methodologies of Testing.
OWASP Top 10 2021 — Bug Name Examples by Category:
A01: Broken Access Control

IDOR
Directory or Path Traversal
Function Injection
Privilege Escalation
Horizontal and Vertical Privilege Escalation

A02: Cryptographic Failures

Cleartext Transmission of Sensitive Data

Insufficient Entropy
Insecure Random Number Generation
Padding Oracle Attack
Use of Weak Ciphers
Weak or Misconfigured Cryptographic Configurations

A03: Injection

Os Command Injection
SQL Injection
Cross-Site Scripting (XSS)
Expression Language Injection
XML Injection
LDAP Injection
NoSQL Injection
SSTI

A04: Insecure Design

Security-by-Obscurity
Session Fixation
Unintended Functionality
Use of Hardcoded Credentials
Weak Error Handling
A05: Security Misconfiguration

Default Accounts and Passwords

Default or Weak Configuration Settings
Disabled Security Features
Improperly Configured Permissions and Access Controls (Insecure Permissions)
Unnecessary Features or Services Enabled
Use of Vulnerable Software
Directory Listing Enabled
Insecure Default Passwords or Credentials
Improperly Configured Cross-Origin Resource Sharing (CORS)

A06: Vulnerable and Outdated Components

Use of Known Vulnerable Components

Outdated Libraries and Frameworks
Third-Party Components with Unpatched Vulnerabilities
Lack of Patching and Updates

A07: Identification and Authentication Failures

Brute-Force Attacks
Credential Stuffing
Credential Theft
Session Hijacking
Weak Password Policies
Weak Session Cookies
Lack of Multi-Factor Authentication (MFA)
Insecure Session Management
Insecure Authentication Protocols
Insecure Password Storage
User Enumeration

A08: Software and Data Integrity Failures

Insecure Direct Object References (IDOR)

Server-Side Request Forgery (SSRF)
SQL Injection and NoSQL Injection Variants
Tampering with Updates
Unvalidated Redirects and Forwards

A09: Security Logging and Monitoring Failures

Lack of Audit Logging

Insufficient Log Data
Unmonitored Logs
Unsecured Logs

A10: Server-Side Request Forgery (SSRF)

Unauthenticated SSRF
Authenticated SSRF

Now you can test your Target website with several techniques to find out the
vulnerabilities. Recommending to follow the related writeups of the vulnerability.

Step 19—

Analyze Vulnerabilities Database.

Recommending some resources —

1. Exploit Database — https://www.exploit-db.com/

2. Vulnerability Database — https://vuldb.com/

3. CVE Security Vulnerability — https://www.cvedetails.com/

4. Patchstack — https://patchstack.com/database/

Step 20—

Report Writing

Report Structure:
A security testing report should have a clear and logical structure. Here’s a
recommended structure:
a. Introduction: Provide a brief overview of the security testing context, objectives,
and report scope.

b. Methodology: Describe the techniques and tools used to conduct the security
testing.

c. Findings: Present the identified vulnerabilities in a clear and organized manner.

Use categories or severity levels to aid readability.

d. Evidence: Include screenshots, code snippets, or any other evidence to support

your findings.

e. Recommendations: Propose specific corrective measures for each identified

vulnerability.

f. Conclusion: Summarize the key points of the report and express gratitude to
relevant parties.

Recommending to Follow this way too —

https://www.intigriti.com/hackademy/how-to-write-a-good-report

COLLECTED BY @INTELEON404

HELLO I AM SHEIKH MOHAMMAD ADIL (INTELEON404)

Signature