Intro to web application testing

Penetration Testing Wiki

HTTP Protocol

Proxy request:

CONNECT www.example.com:443 HTTP/1.1

Proxy request with authentication:

CONNECT server.example.com:80 HTTP/1.1 
Host: server.example.com:80 
Proxy-Authorization: basic aGVsbG86d29ybGQ=

Check open proxy request:

echo -ne "CONNECT http://$DOMAIN HTTP/1.1\r\nHost: $DOMAIN\r\n\r\n" | nc $IP 8080

Fuzzing websites and HTTP protocol

wfuzz: Web application fuzzer. Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.

https://github.com/xmendez/wfuzz

pip install wfuzz
wfuzz -w wordlist/general/common.txt --hc 404 http://$DOMAIN/FUZZ
wfpayload -z range,0-10
wfencode -e md5 test

Fuzz HTTP methods:

wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://$DOMAIN/

Through a proxy:

wfuzz -z file,wordlist/general/common.txt -p localhost:8080 http://$DOMAIN/FUZZ

More tools using a proxy: https://pentestwiki.org/webpentest-through-socks-proxy/

Brute-force usernames in WordPress:

wfuzz -c -z file,fsoc.dic — hs Invalid -d “log=FUZZ&pwd=aaaaa” http://$DOMAIN/wp-login.php

References:

JWT

JWT types:

  • JWS (Signature)
  • JWE (Encryption)

Debugging payloads:

  • https://jwt.io/ Auth0 JSON Web Tokens (JWT) debugger (encoder/decoder)
  • Unsecure JWS: Check if alg:none

SAML

MIME types

A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) is a standard that indicates the nature and format of a document, file, or assortment of bytes. It is defined and standardized in IETF’s RFC 6838.

Most common MIME types:

  • text/plain
  • text/html
  • text/css
  • text/javascript
  • application/octet-stream
  • image/png
  • image/webp
  • multipart/form-data

Interesting MIME types:

  • application/dime: Direct Internet Message Encapsulation: Sending binary data with SOAP messages
  • application/x-thrift or application/vnd.apache.thrift.binary: Used to serialize binary data being sent to an API
  • application/x-protobuf: Used to serialize binary data being sent to an API
  • application/wasm: WebAssembly streaming compilation

More on MIME types here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types

About me

My name is Jacobo Avariento. I got a Master’s Degree in Computer Science and specialized in cybersecurity in 2001. With more than 15 years in the cybersecurity industry as a consultant and penetration tester working for top tier banks, the European Central Bank, pharmaceutical, automotive and gaming companies.

I hold Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) and Certified Blockchain Security Professional (CBSP) certifications.

OSCP Certification

CEH Certification

© 2021 DEFENSAHACKER Academy