Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ECSA - Certified Security Analyst > 8 - Web App Pen Testing > Flashcards

8 - Web App Pen Testing Flashcards

1
Q

White-box vs Black-box vs Gray box App Pen Testing?

A
  • White-Box: organization provides info in advance (app design, info from interviews, software requirements, risk analysis)
  • Black-Box: No info provided in advance
  • Gray-Box: Some info provided in advance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Web App Pen Testing?

A

Assessment to find any security weakness, technical flaw, or vulnerabilities that may exist in the application. Every possible attack is simulated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Web Application Security Frame?

A

Classified into the following areas:

  • Input Validation
  • Authentication and Authorization
  • Cryptography
  • Configuration Management
  • Exception Management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the steps for web app pen testing?

A
  • Discover Web App Default Content
    • Web Enumeration
    • Browse Website URL and Internal URLs
    • HTML Code (read comments, tags, action attribute)
    • Identify Server side tech (examine cookies, error pages, technology)
    • Identify Technology used to build target website
  • Discover Web App Hidden Content
    • Identify Sitemap (.xml file that lists all publicly available pages)
    • Web Spidering (visits every page and indexes everything)
    • Mirror and Crawl Websites
    • Perform Directory Brute Forcing
    • Identify Restricted Directories (robots.txt)
    • Extracting Common Word List
  • Conduct Web Vulnerability Scanning
  • Identify the Attack Surface Area
    • Identify Entry Points for User Input
    • Map Attack Surface
  • Test for SQL Injection Vulnerabilities
  • Test for XSS Vulnerabilities (Test URLs, Search Field, User Agent)
  • Test for Parameter Tampering
  • Test for Weak Cryptography Vulnerabilities
    • Check for Weak SSL Ciphers
    • Check for Insecure Cryptography Storage
    • Detect Use of Weak Encoding Techniques
  • Test for Security Misconfiguration Vulnerabilities
    • Test Inner workings of Web App
    • Test Database Connectivity
    • Test Application Code (backdoors, exception handling, misuse of accts, test for HTML comments)
    • Test for a WAF
    • Test for Debug Parameters
    • Test for Improper Error Handling
  • Test for Client Side Scripting
    • Identify Technologies
    • App’s Reliance on Client Side Validation
    • Test Client-side Controls Over User Input
    • Test Transmission of Data via Client
    • Test ActiveX Controls
    • Test Shockwave Flash Objects
    • Check for Frame Injection
    • Test User Protection via Browser Settings
  • Test for Broken Authentication
  • Tests for Broken Session Management Vulnerabilities
  • Test for Web Services Security
    • Perform Web Services Attack
    • Perform Web Services Probing Attack
    • Test for XML Structure (DoS the XML Parser)
    • Test for XML Content-level
    • Test for Web Services XML Poisoning
    • Test for WS HTTP GET Parameters/REST Attacks
    • Test for Suspicious SOAP Attachments (attach and post a SOAP message with non-destructive virus)
    • Test for XPATH Injection Attack (XPATH is language used to refer to parts of an XML document)
    • Test for WS Replay
  • Test for Business Logic Flaws
    • Test for Logic Flaws
    • Identify Key Attack Surface (Application Mapping)
    • Test Multistage Processes
    • Test Handling of Incomplete Input (check each parameter in turn)
    • Test Trust Boundaries
    • Test Transaction Logic
  • Test for Web Server Vulnerabilities
    • Perform HTTP Service Discovery (Scan common ports for services to exploit)
    • Perform Banner Grabbing to Identify the Target Web Server
    • Perform Web Server Fingerprinting using httprint (tool)
    • Perform Advanced Web Server Fingerprinting using HTTPRecon
    • Test for Default Creds
    • Test for Dangerous HTTP Methods
    • Enumerate Webserver Directories
    • Test for Proxy Functionality
    • Test for Virtual Hosting Misconfiguration
    • Test for Web Server Software Bugs
    • Web Server Vulnerability Scanner: NIKTO
  • Test for Thick Clients Vulnerabilities
    • Pen Testing Thick Clients
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Identifying functionality?

A

Determining the core functionality of an app and check for each function it is designed to perform. Check for key security mechanisms employed by an app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Netcraft used for?

A

Helps find:

  • Background Info: Site title, rank, etc
  • Hosting History: Web server IP address, web server version, OS
  • Network Info: IP address. Domain registrar, organization address, host country, netblock owner, DNS admin, reverse DNS
  • Site Tech: Server side, Client side
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some common server side technologies?

A
  • .pl: Perl CGI script
  • .asp: Active Server Pages (MS IIS)
  • .aspx: ASP+ (MS .NET)
  • .php: PHP script
  • .cfm: ColdFusion
  • .nsf: Lotus Domino Server
  • .jsp: Java Server Page
  • .do: Java Struts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the most common entry points for SQL injection?

A
  • Search Web Pages
  • URL bar contents
  • Web Form Input Values
  • Public APIs
  • DCOM methods
  • Network Packets
  • Profile-related web pages
  • Authentication Forms
  • E-Commerce related pages
  • Inter-Process Communication Pipe
  • Web Service Methods
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some techniques to throw Database errors?

A
  • Grouping: Using HAVING command to generate errors telling which columns have not been grouped
  • Type Mismatch: Insert strings into numeric field
  • Blind Injection: Use time delays or error signatures to extract info. (Do this when apps do not provide detailed errors)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some SQLi techniques to evade the IDS?

A
  • Using ‘OR 1=1 Equivalents (‘john’ = ‘john’; 7>1)
  • Using Char Encoding (ex. “root” = 114, 111, 111, 116)
  • Manipulating White Spaces (drop or add white spaces between keywords can help evade IDS without altering execution of SQL statements)
  • Inline Comments (/*…*/)
  • Obfuscated Code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some methods for testing SQLi vulnerabilities?

A
  • Identify Injection Points
  • Identify SQL Injectable Entry Points in HTTP Request (GET & POST requests)
  • Perform Database Fingerprinting (errors)
  • Detect SQL Injection Vulnerabilities by manipulating a parameter
  • Determine the Database Schema using Error-Based SQL Injection (DB, Table, Column, Field)
  • Determine the Database Schema using Union-Based SQL Injection
  • Determine the Database Schema using Blind SQL Injection
  • Determine Privileges, DB structure, and column names
  • Extract Data using Blind SQLi
  • Extract 1st table entry using Blind SQLi
  • Insert, Update, and Delete Data from DB
  • Attempt a DoS Attack using SQLi (using very complex queries; drop table)
  • Evade IDS
  • Bypass Website Authentication (login as diff user, provide your own hash)
  • Perform a Function-Call Injection Attack
  • Perform Buffer Overflow attack
  • Access System Files and Execute Remote Commands (LOAD_FILE(), INTO OUTFILE())
  • Replicate DB Structure and Data (OPENROWSET)
  • Use OPENROWSET to Escalate Privileges on MSSQL
  • Extract SQL-Server Password Hashesa
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some techniques for Parameter Tampering?

A
  • URL Parameters
  • Hidden Parameters
  • Directory traversal
  • Check for Unvalidated Redirects and Forwards
  • Unrestricted File Upload Vulnerability
  • HTTP Response Splitting/CRLF Injection Attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some authentication testing techniques?

A
  • Understand authentication Mechanism
  • Test Password Quality
  • Test for Username Enumeration
  • Test Resilience to Password Guessing
  • Test Account Recovery and Remember Me Function (Password Changing, Password Recovery, “Remember Me” Exploit)
  • Perform password Brute-Forcing
  • Session ID Prediction
  • Modifying Input Fields
  • HTTP Request Tampering (Query String Tampering, HTTP Headers)
  • Perform Authorization Attack - Cookie Parameter Tampering
  • Understand Access Control Requirements (Horizontal Segregation, Vertical Segregation)
  • Testing with Multiple Accounts
  • Testing with Limited Access
  • Test for Insecure Access Control Methods
  • Test Segregation in Shared Infrastructure
  • Test Segregation in ASP-hosted Apps
  • Common String Injection
  • Test for Connection String Parameter Pollution (CSPP) Attacks
    • Hash Stealing: Attacker has victim connect with rogue server to steal hash
    • Port Scanning
    • Hijacking Web Creds
  • Test for Connection Pool Dos
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some methods for testing Session Management Vulnerabilities?

A
  • Understand Session Management Mechanism
  • Test Tokens for Meaning
  • Session Token Prediction
  • Perform Session Token Sniffing
  • Check for Insecure Transmission of Tokens
  • Check for disclosure of Tokens in Logs
  • Check Mapping of Tokens to Sessions
  • Test Session Termination
  • Test for Session Fixation Attack
  • Test for Session Hijacking
  • Check for XSRF (Cross-Site Request Forgery)
  • Check Cookie Scope (is cookie set to a specific domain)
  • Test Cookie Attacks (Modify or steal cookie)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the Multistage Process?

A

Involves a defined sequence of requests and attempt to submit these requests out of the expected sequence.

  • Check if series of stages can be accessed via a series of GET or POST requests for distinct URLs.
  • Verify if multistage process involves different users performing operations on the same set of data. (take each parameter submitted by one user and submit it as another)
  • Check if multistage functions are accessed out of sequence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 3 main types of Thick Client pen testing?

A
  • Dynamic Testing: Tester performs activities like fuzzing, traffic interception, analysis, and injection
  • System Testing: Tester analyzes local storage for data leakage. Checks files, registries, process, temp folder, application folder
  • Static Testing: Analyzes config files, URL, server creds, cryptographic keys, hardcoded passwords. Performs reverse engineering
17
Q

What are some Web App countermeasures?

A
  • SQLi
    • Limit length of user input
    • Use custom error messages
    • Monitor DB traffic using an IDS, WAF
    • Disable commands like xp_cmdshell
    • Isolate database server and web server
  • Broken Authentication and Session Management
    • SSL for all authenticated parts of the app
    • Verify whether all the users identities and credentials are stored in hashed form
    • Never submit session data as part of a GET, POST
  • Weak Cryptography
    • Do not create or use weak cryptographic algos
    • Generate encryption keys offline and store them securely
    • Ensure that encrypted data stored on disk is not easy to decrypt
  • Broken Access Control
    • Perform access control checks before redirecting the authorized user to requested resource
    • Avoid using insecure ID’s to prevent attacker from guessing it
    • Provide session timeout mechanism
    • Limit file permissions to authorized users to prevent misuse
  • Security Misconfiguration
    • Configure all security mechanisms and turn off all unused services
    • Setup roles, permissions, and accounts and disable all default accounts or change their passwords
    • Scan for latest security vulnerabilities and apply the latest security patches
    • Non-SSL requests to web pages should be redirected to the SSL page
    • Set the ‘secure’ flag on all sensitive cookies
    • Configure SSL provider to support only strong algos
    • Ensure the certificate is valid, not expired, and matches all domains used by the site
    • Backend and other connections should also use SSL or other encryption technologies
  • XSS Attack
    • Validate all headers, cookies, query strings, form fields and hidden fields
    • Use testing tools extensively during design phase
    • Use a wen app firewall
    • Convert all non-alphanumeric characters to HTML character entities before displaying the user input in search engines and forums
    • Encode Input and output and filter Meta characters in the input
    • Do not always trust websites that us HTTPS
    • Filtering script output
    • Verify scripts by public and private keys
  • Directory Traversal
    • Define access rights to the protected areas of the website
    • Apply checks/hot fixes that prevent the exploitation of Vulnerabilities
    • Web Servers should be updated with security patches in a timely manner
  • Cross-Site Request Forgery
    • Logoff immediately after using web app and clear the history
    • Do not allow your browser and websites to save login details
    • Check the HTTP Referrer header and when processing a POST, ignore URL parameters
  • Cookie/Session Poisoning
    • Do not store plain text or weakly encrypted password in a cookie
    • Implement cookie’s timeout
    • Cookie’s authentication creds should be associated with an IP address.
    • Make logout functions available
  • Web Services
    • Configure WSDL Access Control Permissions
    • Use document-centric authentication credentials that use SAML
    • Use multiple security creds
    • Deploy web service capable firewalls
    • Configure FW/IDS systems for web services anomaly and signature detection

ECSA - Certified Security Analyst (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions