Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Testing Methodology & Scope Based Recon

Harsh Bothra
October 29, 2020

Application Testing Methodology & Scope Based Recon

This talk is about how to organize your penetration testing with a proper methodology and ensure that how you maximize your potential attack surface. This will also enable you to understand more about Scope Based Recon tactics.

Harsh Bothra

October 29, 2020
Tweet

More Decks by Harsh Bothra

Other Decks in Technology

Transcript

  1. A P P L I C A T I O N T E S T I N G M E T H O D O L O G Y
    &
    S C O P E B A S E D R E C O N
    B Y : H A R S H B O T H R A

    View full-size slide

  2. W H O A M I ?
    • Cyber Security Analyst at Detox Technologies
    • Synack Red Teamer
    • Bugcrowd MVP 2020 Q1-Q2 & TOP 150 in Leaderboard
    • Author – Multiple Hacking Books (R’cmd by AICTE,
    NITTTR-Chandigarh)
    • Blogger | Speaker | Poet
    • Lifelong Learner
    @harshbothra_

    View full-size slide

  3. AGENDA
    Application
    Testing
    Methodology
    Threat
    Mapping
    Manual
    Testing
    Approach
    Recon 101
    Scope Based
    Recon
    Methodology
    Small Scope
    Recon
    Medium
    Scope Recon
    Large Scope
    Recon
    Offensive
    Recon Tactics
    Q/As
    @harshbothra_

    View full-size slide

  4. A P P L I C A T I O N T E S T I N G
    M E T H O D O L O G Y
    Define Target Scope
    Define
    Understand Application Business Logic
    Understand
    Prepare Threat Map
    Prepare
    Perform Scope Based Recon
    Perform
    Perform Manual Pentest
    Perform
    Perform Application Specific Attacks
    Perform
    Learn what you lack & hit back on the target
    Learn

    View full-size slide

  5. T H R E A T
    M A P P I N G
    Verify Verify all these test cases while you perform assessment
    Create Create Possible C.I.A. & C.R.U.D Impact Scenario
    Write Write Theoretical Attack Scenario for Each Function
    List List All Component & Functionality
    Navigate Navigate Application

    View full-size slide

  6. M A N U A L
    T E S T I N G
    A P P R O A C H
    Understand Application Flow
    Figure Out various possible Flows of same feature
    Try to break the application flow
    Test every possible test case for each individual
    functionality
    Do not miss any test case even if it’s complicated
    Rely less on tools, Proxy tool is good go.
    Learn and Hack

    View full-size slide

  7. R E C O N 1 0 1
    • Way to discover & create a better attack
    surface! (We’ll see how)
    What is Recon ?
    • Increased Attack Surface == More Security
    Issues
    • Looking at less travelled road == More
    Success
    • Digging assets of your target to the
    deepest point possible.
    • Recon != Security Issues but increases
    probability of getting >> Security Issues.
    Why Recon?
    @harshbothra_

    View full-size slide

  8. B U S T I N G T H E M Y T H S
    • Recon == Bugs
    • Recon == Asset Discovery == Increasing Attack Surface
    • Recon == Manual Approach
    • Best way to perform Recon is to use hybrid approach – Automation + Manual
    • Recon == Time Consuming
    • If performed properly & automated in right way, you can save a lot of time
    • Recon == Subdomain Enum, Whois, Port Scanning & Fuzzing, etc.
    • Ways to perform Recon is all about how creative you can be to identify assets and
    increase attack surface. However, the above mentioned are some well known methods.
    @harshbothra_

    View full-size slide

  9. S C O P E B A S E D R E C O N
    • Scope Based Recon is a simply methodology to divide How to Perform when a specific set of Scope is
    Provided.
    • Scopes are divided into three categories:
    • Small Scope
    • Medium Scope
    • Large Scope
    • Why Scope Based Recon?
    • Saves a lot of time
    • You know what exactly to look for
    • You can easily automate your recon workflow
    • Less-chance to submit Out-of-Scope Issues
    • Just like other security methodologies enables you perform a better Recon
    @harshbothra_

    View full-size slide

  10. S C O P E S
    • Specific set of Single
    URLs/Sandbox/QA/Staging
    Environment
    Small Scope
    • Specific set of “*.target.com”
    Medium Scope
    • Complete Internet presence including
    Acquisitions & Copyrights
    Large Scope
    @harshbothra_

    View full-size slide

  11. S M A L L
    S C O P E
    R E C O N
    What to look for while performing Recon
    • Directory Enumeration/Bruteforcing
    • Service Enumeration
    • CVEs
    • Port Scanning
    • Broken Link Hijacking
    • JS Files for Hardcoded APIs & Secrets
    • Parameter Discovery
    • Wayback History & Waybackurls
    • Google Dork (Looking for Juicy Info related to Scope Domains)
    • Potential URL Extraction for Vulnerability Automation (GF Patterns
    + Automation Scripts)
    @harshbothra_

    View full-size slide

  12. M E D I U M S C O P E R E C O N
    What to look for while Recon:
    • Subdomain Enumeration
    • Subdomain Takeovers
    • Misconfigured Third-Party Services
    • CVEs
    • Port Scanning
    • Misconfigured Storage Options (S3 Buckets)
    • Broken Link Hijacking
    • Directory Enumeration
    What to look for while Recon:
    • Service Enumeration
    • JS Files for Domains, Sensitive Information
    such as Hardcoded APIs & Secrets
    • GitHub Recon
    • Parameter Discovery
    • Wayback History & Waybackurls
    • Google Dork for Increasing Attack Surface
    • Internet Search Engine Discovery
    (Shodan, Censys, Fofa, BinaryEdge, Spyse Etc.)
    • Potential URL Extraction for Vulnerability
    Automation (GF Patterns + Automation Scripts)
    @harshbothra_

    View full-size slide

  13. L A R G E S C O P E R E C O N
    • What to look for while Recon:
    • Tracking & Tracing every possible
    signatures of the Target Application (Often
    there might not be any history on Google
    related to a scope target, but you can still
    crawl it.)
    • Subsidiary & Acquisition Enumeration
    (Depth – Max)
    • DNS & SSL Enumeration
    • CVEs
    • ASN & IP Space Enumeration and
    Service Identification
    • Subdomain Enumeration
    • Subdomain Takeovers
    • Misconfigured Third-Party Services
    • Misconfigured Storage Options (S3 Buckets)
    • Broken Link Hijacking
    • What to look for while Recon:
    • Directory Enumeration
    • Service Enumeration
    • JS Files for Domains, Sensitive Information
    such as Hardcoded APIs & Secrets
    • GitHub Recon
    • Parameter Discovery
    • Wayback History & Waybackurls
    • Google Dork for Increasing Attack Surface
    • Internet Search Engine
    Discovery (Shodan, Censys, Fofa, BinaryEdge,
    Spyse Etc.)
    • Potential URL Extraction for Vulnerability
    Automation (GF Patterns + Automation
    Scripts)
    • And any possible Recon
    Vector (Network/Web) can be applied.
    @harshbothra_

    View full-size slide

  14. S M A R T
    O F F E N S I V E R E C O N TA C T I C S
    @harshbothra_

    View full-size slide

  15. S M A R T
    O F F E N S I V E A P P R O A C H F O R R E C O N
    Choose Scope Based
    Recon
    Create a Script for
    Automating Scope Based
    Recon
    Run Automation Script over
    Cloud.
    Manually Recon (GitHub &
    Search Engine Dorking)
    while Automation
    Completes.
    Create Cron
    Jobs/Schedulers to Re-Run
    specific Recon task to
    identify the new assets.
    Implement alerts/push for
    Slack or preferred
    @harshbothra_

    View full-size slide

  16. Q / A A R E W E LC O M E
    @harshbothra_

    View full-size slide

  17. G E T I N
    T O U C H A T
    @harshbothra_
    Website – https://harshbothra.tech
    Twitter - @harshbothra_
    Instagram - @harshbothra_
    Medium - hbothra22.medium.com
    LinkedIn - @harshbothra
    Facebook - @hrshbothra
    Email – [email protected]

    View full-size slide