4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
38<br />
Web Application Penetration Testing<br />
Check HTML version information for valid version numbers and Data<br />
Type Definition (DTD) URLs<br />
<br />
will advise robots to not index and not follow links on the HTML page<br />
containing the tag.<br />
<br />
• “strict.dtd” -- default strict DTD<br />
• “loose.dtd” -- loose DTD<br />
• “frameset.dtd” -- DTD for frameset documents<br />
Some Meta tags do not provide active attack vectors but instead allow<br />
an attacker to profile an application to<br />
Some Meta tags alter HTTP response headers, such as http-equiv<br />
that sets an HTTP response header based on the the content attribute<br />
of a meta element, such as:<br />
which will result in the HTTP header:<br />
and<br />
<br />
<br />
Expires: Fri, 21 Dec 2012 12:34:56 GMT<br />
<br />
will result in<br />
Cache-Control: no-cache<br />
Test to see if this can be used to conduct injection attacks (e.g. CRLF<br />
attack). It can also help determine the level of data leakage via the<br />
browser cache.<br />
A common (but not WCAG compliant) Meta tag is the refresh.<br />
<br />
A common use for Meta tag is to specify keywords that a search engine<br />
may use to improve the quality of search results.<br />
<br />
Although most web servers manage search engine indexing via the<br />
robots.txt file, it can also be managed by Meta tags. The tag below<br />
The Platform for Internet Content Selection (PICS) and Protocol for<br />
Web Description Resources (POWDER) provide infrastructure for associating<br />
meta data with Internet content.<br />
Gray Box Testing<br />
Not applicable.<br />
Tools<br />
• Wget<br />
• Browser “view source” function<br />
• Eyeballs<br />
• Curl<br />
References<br />
Whitepapers<br />
[1] http:/www.w3.org/TR/1999/REC-html401-19991224 HTML<br />
version <strong>4.0</strong>1<br />
[2] http:/www.w3.org/TR/2010/REC-xhtml-basic-20101123/ XHT-<br />
ML (for small devices)<br />
[3] http:/www.w3.org/TR/html5/ HTML version 5<br />
Identify application entry points (OTG-INFO-006)<br />
Summary<br />
Enumerating the application and its attack surface is a key precursor<br />
before any thorough testing can be undertaken, as it allows the tester<br />
to identify likely areas of weakness. This section aims to help identify<br />
and map out areas within the application that should be investigated<br />
once enumeration and mapping have been completed.<br />
Test Objectives<br />
Understand how requests are formed and typical responses from the<br />
application<br />
How to Test<br />
Before any testing begins, the tester should always get a good understanding<br />
of the application and how the user and browser communicates<br />
with it. As the tester walks through the application, they should<br />
pay special attention to all HTTP requests (GET and POST Methods,<br />
also known as Verbs), as well as every parameter and form field that<br />
is passed to the application. In addition, they should pay attention to<br />
when GET requests are used and when POST requests are used to<br />
pass parameters to the application. It is very common that GET requests<br />
are used, but when sensitive information is passed, it is often<br />
done within the body of a POST request.<br />
Note that to see the parameters sent in a POST request, the tester will<br />
need to use a tool such as an intercepting proxy (for example, OWASP:<br />
Zed Attack Proxy (ZAP)) or a browser plug-in. Within the POST request,<br />
the tester should also make special note of any hidden form fields that<br />
are being passed to the application, as these usually contain sensitive<br />
information, such as state information, quantity of items, the price of<br />
items, that the developer never intended for you to see or change.