When testing an application, SecureState uses a web proxy to sit between the application and client browser. Using this tool, all submissions to the server get decrypted, and the tester is able to view the entire transmission, including hidden fields, cookies, and session IDs. This tool also allows the tester to create injection attacks and to modify data before sending the request to the server, thus bypassing client side validation.
The review will focus on the web application through normal browsing means (ports 80, 443) at the application level. The assessment will compare the client's assumptions with actual findings (i.e. user access rights) and Leading Practices. Included in this methodology is the use of the latest version of the OWASP Testing Guide as well as looking for vulnerabilities, design and configuration flaws from the OWASP Top Ten.
Once the assessment beings, SecureState identifies all application entry points, search engine reconnaissance, and analysis of error codes. Additionally, SecureState manually maps the application to collect session information as well as cookies and business logic information. All of the information needed for subsequent phases is obtained during this process.
SecureState tests for:
- HTTP methods
- TSL/SSL weaknesses
- Infrastructure configuration management vulnerabilities
- User enumeration
- Brute force potential
- Authentication bypass vulnerabilities
- Session fixation and variables
- Cross-site request forgery and path traversal
- User roles and permissions
- Privilege escalation vulnerabilities
SecureState then performs the actual tests to compromise security, exploiting any fields that allowed unverified data. During this section of the assessment, SQL Injection, XSS, HTTP response splitting, and other common attacks (noted in the OWASP Top Ten) are executed.