My Web App Pentesting Experience
I have conducted a significant number of web app pentests over the years. In the beginning of my web app pentesting days I was so excited when I discovered a significant vulnerability – such as session hijacking or stealing the session cookie from a XSS attack. I thought I captured the flag and I was so proud.
That excitement began fading as time went on.
My next mental evolution of web app pentesting was getting over this naivety that any website developed by a multinational company would have secure web apps. I was convinced of this because these are big name companies with deep pockets. They would absolutely put the funding in to ensure their sites are secure. Boy, was I ever wrong.
Some of these global companies have significant vulnerabilities on their sites. I now conclude that almost every web app will have some vulnerability. It could range from weak session management to information disclosure or improper error handling.
At this stage of my career, I rarely get surprised anymore when I discover a finding. That doesn’t mean I don’t love what I do – far from it, in fact. Web App pentesting is a skill where you never flat line. One can always learn more and that is what keeps me motivated to keep growing in this fine art.
Top Vulnerabilities Discovered in 2016
It seems like every year I find a few common vulnerabilities among the sites I assess. 2016 was no different.
- I saw many examples of poor session management implementations, specifically related to session tokens.
- Next I found many sites vulnerable to Cross Site Request Forgery (CSRF).
- Finally, I saw many Reflected Cross Site Scripting (XSS) vulnerabilities. Time and time again I see input fields not being sufficiently sanitized.
In this article, I will briefly demonstrate a quick method to test for weak session management. I will demonstrate how to test a couple of methods for testing CSRF and reflected XSS in future posts.
Vulnerability – Session Management
One quick test I recommend is to test for session invalidation after log out. Often I have seen the session tokens deleted on the browser when a user clicks logout. The problem is that the token does not get invalidated server side.
Let’s go through an example. I will be using Mutillidae II for this demonstration but the principles are the same no matter what site you test. You can get this test site by downloading the OWASP Broken Web App. I am testing the site using Firefox along with the Cookie Manager add-on.
- Open up Mutillidae II and log in using the default admin/admin username and password. You should see that you are now logged in.
2. Open up Firefox Cookie Manager add-on and take note of the tokens used in authentication.
3. Backup all session tokens from Cookie Manager. Do this by highlighting all the cookies. Right-click and select Backup All.
4. Copy and paste the URL in the browser field. It will be used later in our tests to determine if bypassing authentication is possible.
5. Now log out of the application and ensure you see the Login/Register link. This ensures you are not logged in.
6. Go back to cookie manager and notice the userid and username tokens are gone.
7. In Cookie Manager, right-click in an open area and select restore all. Now select the cookies you backed up in step 3.
8. You should have imported all the old tokens. These tokens should not be valid as the session related token should have been invalidated when we clicked Logout.
9. Enter in the URL to access an authenticated portion of the site. Notice you are logged in as admin. You never had to authenticate yourself. The old session tokens were still valid. Bad! This demonstrates that the session token does not get invalidated on the server side. A scenario where this poor session management implementation can be exploited is if a XSS vulnerability on the site was leveraged to steal the session tokens. These tokens can continue to be used to bypass authentication by an attacker because they have not been invalidated server side.
This is a simple method to determine if session tokens get invalidated server side. I have run this test on every webapp pentest I have conducted and found a number of websites not properly invalidating session tokens. Web application authors cannot rely only on client side security. Server side security must also be implemented to ensure a layered security approach is used.
If you found this article to be valuable, please share it with your friends, family, and coworkers. To read more articles like this one, visit my article catalogue.