Day Three of SANS' 542: Web App Pen Testing In Depth

Day three was a run through of discovery. Discovery is the process of finding vulnerabilities in the web application, but stopping short, for the most part, of actually exploiting vulnerabilities.

By the way, it's really late and I should be asleep, so I'm keeping this post short. Or I intend to.

We looked at information leakage, this is one of the things I find most often in my own testing. Developers allow their applications to throw errors back to a user and the errors leak information about the implementation of the application, such as what OS, backend DB or other components of the system. Yes, this is bad. You should be returning generic error messages. Preferably something that has the right look and feel for your application. Many developers I work with on a regular basis simply redirect the user back to the start of the application when the app throws an exception. This is not as bad as leaking information, but it sucks for usability. Don't do it that way.

We looked at username harvesting. This is something I find quite a bit in my work. And it's a difficult problem to overcome if you spend much time thinking about ways to mitigate it. If you have an app where people can register for a new account, it's hard to prevent username harvesting for obvious reasons. Password resets, security questions and the like are another area where username harvesting is pretty common, but generally is more preventable. Account registration and creation is the biggie.

I brought this up with Kevin and he had an excellent suggestion. Don't prevent it. Detect it and block the attack. I'll be writing this up as a recommendation in the future.

We looked at fuzzing applications using the Burp Suite, talked about Absinthe. I wish there would have been an exercise for Absinthe. I have it installed on my pen testing box, but haven't used it yet.

Greasemonkey was introduced. I love Greasemonkey, though I've never used it for pen testing. I find it really useful for adding functionality to web interfaces. It rocks.

The last part of the day was a review of some of the newer developments on the web; namely Web Services Definition Language, Universal Description, Definition, Integration Specification (UDDI), Simple Object Access Protocol, AJAX and JSON. Frankly, I wish we could have spent an entire day on these areas alone.

You've all heard of Web 2.0. AJAX and JSON are two of the core components that drive Web 2.0, but many larger enterprises are only now beginning to role them out so many web app pen testers don't have much experience with them, including yours truly. I could use more info on these technologies and have it on my list to find out as much as I can in the coming weeks.

All in all, another good day. Again, I wish the course had more hands-on exercises and as I've mentioned previously, I know it's coming in the six day version of the course. In fact, I had dinner with Kevin Johnson, the author of the course and a couple other students and Kevin talked about how day six of the course is going to be a full on web app pen test exercise from start to finish. If it includes all the whiz-bang Web 2.0 aspects, that will be really beneficial.

Now if you'll excuse me, I should have been asleep a couple hours ago. Good night now!