Web application white box pentesting methodology

Recently, I finished the Offensive Security WEB-300 course and successfully passed OSWE certification. The goal of this article is to share the methodology I’m using in white box engagements and which helped me in 48h long OSWE exam.

Before diving into the methodology, it’s worth spearing some words about the course and exam itself. The Offensive Security WEB-300 course is all about white box web testing, so application source code is available. It means exposure to a lot of code in five different languages: Java, JavaScript, C#, Python, PHP. The full course syllabus can be found here.

In my opinion, you have to obtain four types of skills to become OSWE:

Understanding the syntax of many languages and their web frameworks to efficiently analyze big codebases.
Knowledge of web vulnerabilities - how to discover and exploit them.
Scripting skills - know how to pack a kill chain of vulnerabilities in one script in the language of your choice (WEB-300 course uses python).
Having a solid white box testing methodology.

Resources that I used for learning about 1 and 2 are linked at the end of this article.

Reconnaissance

This step is all about a clicking-through application from a user perspective with Burp proxy (or similar tool) turned on. Note all of the application functionalities, technology, how it handles authentication, authorization, is there anything odd that triggers your pentesting instinct? It’s worth to pay attention to the structure of requests, cookies, local storage. Writiting down observation from this step is essential.

Threat modeling

It’s time to make use of your notes from the reconnaissance phase. List all of the application functionalities and map this to known vulnerabilities. What can go wrong if the attacker misuses the presented functionality? There are threat modeling lessons that I find very useful, it’s from Jakub Kaluzny from SecuRing - you can watch it here.

Tests preparation

In this step, you should prepare a code base for tests. This depends on the type of application that you are auditing, but in general:

Turn on the application, database, and system logging policy to the most detailed (like debug) and find a place where logs are stored.
Set up the environment for application debugging. It’s very handy to work with a debugger instead of a console.logging/printing messages.
Sometimes it’s also useful to observe interactions between application and system in. ex. windows sysinternals Procmon and ProcessHacker can become handy.

Understand the application

Before starting to look for vulnerabilities, it’s worth to know how the application is structured and understand used coding patterns. It can become easier if the application is based on some framework or uses well-known architecture like MVP. All exceptions from standards like places where database query is done without ORM or parts of the application that use custom code instead of framework capabilities, could be helpful in vulnerability search. Using debugger can make this step easier.

In this phase I’m trying to answer the following questions:

What framework application uses?
How routing works?
How requests with user input are handled?
Where is the application configuration located?
How session is handled?
How it interacts with a database?
How it handles authorization?
How it handles authentication?

Automatic scans

Warning. You can’t use automatic scanners in OSWE exam but it becomes really handy in real-life engagements, to localize low-hanging fruits. I have a local lab with three tools:

SonarQube Community for static code analysis
OWASP Dependency check for finding vulnerabilities in application dependencies
Burp Professional for application dynamic analysis utilizing scanner module

Manual code review

and real fun starts now. To summarize, following data is gathered from previous enumeration steps:

basic knowledge of the application and its functionalities,
threat model,
insight into how the application is structured and how it works,
low-hanging fruits from the automatic analysis.

The OffSec exam and CTF’s are different from the real-life scenario. Usually, in real engagement, you should stick to penetration testing methodologies like OWASP Testing Guide to make sure your tests for all well-known vulnerabilities and deliver a comprehensive report.

In CTF the goal is usually to get full control over the application and underlying system. Firstly, look for some kind of authentication bypass as in general it’s easier to find more serious vulnerabilities like RCE as admin user than as non-logged in. When looking for authentication bypass, focus on all application functionalities related to login and registering user, such as:

simple logic flaws related to login in. ex. possibility to register as a user with the highest privileges
password reset
try bruteforcing login panel - pay attention to account blocking mechanisms
weak crypto related to session handling
SQL injection vulnerabilities, to extract password hashes or plaintext passwords from DB
how an application is protected against XSS, maybe it’s possible to hijack admin sessions using XSS-based vulnerability?

Having access to the application as a privileged user, you can utilize all of its functionalities to get RCE or find flags. Things like insecure deserialization flaws, unrestricted file upload vulnerabilities, or SQL injections could be an important ingredient in your RCE kill chain recipe.

Have you find is useful? Do you have other white box testing flow? Please find me @twitter and discuss.

Happy hacking!

Resources

web application vulnerability refresher - PortSwigger Academy
javascript for pentesters in Pentester Academy
burp refresher from Bugcrowd University
resource mentioned in wetw0rk github repo
security code review series from Paul Ionescu
Nathan Rague OSWE Review and Exam Preperation Guide

Published Mar 21, 2021

Pentesting

Blockchain Security / Building and breaking on Solana / Offensive Security Engineer'meltedblocks on Twitter