Walking an Application Flashcards
What is Walking an Application?
This is the manual review of a web application for security issues using only in-browser developer tools.
What are the primary Developer Tools that you’ll be working with?
View Source, Inspector, Debugger, and Network
Why is information gathering important?
Information Gathering and Recon are two very important parts of the job, by observing an application you’re also able to observe for any potential vulnerabilities.
What are two examples of possible places where site vulnerabilities can occur?
Any forms on the page can potentially be vulnerable as well as any part of the page thats able to take user input.
Developer Tool Review: What is the Page Source tool?
The Page Source is the human-readable code thats returned to us every time we make a request to the web server. Important Note: The Page Source is from the Web Server.
What are some benefits to looking at the Page Source?
For one when you look at the page source there’s always a possibility that you can find sensitive information stored in the source code by the Developers. This information can be hidden in comments and even a tags to other private paths. One more thing is potentially being able to discover the framework that a site was built with.
Why is Framework information valuable?
Frameworks have specific vulnerabilities that are kept and tracked by 3rd party sites. By discovering the framework of an application you can uncover potential vulnerabilities from the framework itself.
What is a Developer Tool?
Developer Tools are tool kits for Developers that exist on most modern browsers and are used for debugging. However, for a Pentester or Hacker, the Developer Tools give us a very necessary peak under the hood of how a site functions.
Why can’t we simple look a the page source to gain a full picture of how a site works?
Even though page source is a good tool, it doesn’t provide us with any CSS or Javascript Interactions which can change the page source appearance.
Developer Tools: What does the Inspector Dev Tool do?
Inspector is going to give you the full image of how a site is working by providing you page source, but also ways to see both CSS used on a site as well as all of the javascript Interactions. Also, you’ll gain the ability in to interact and change with the page, however those changes will only appear in your browser.
Developer Tools: What does the Debugger Developer Tool?
The debugger tool is used primarily by Developers to debug Javascript. However, for a Pentester/Hacker, we use the debugger dev tool to gain more insight on specifically the javascript interactions used on the page.
More Information on Debugger:
Developers even inside of the debugger dev tool will try to obfuscate the Javascript by putting everything into one line. This can be made clear by using the ‘pretty print’ option to reveal the Javascript.
Developer Tools: What is the Network Developer Tool?
The Network Developer Tool allows for tracking of all external request a webpage makes.
