by Stuart Rorer

Hide and Seek

I always loved playing hide and seek as a kid, our house had a laundry chute in the upstairs bathroom which made it easy to send items needing to be washed down to the basement laundry room. It was my absolute favorite hiding area. I would slip in and wedge myself in. Keep in mind I was probably about four years old, but no one could ever find me. Eventually my Mom found out about it and nearly had a heart attack, so that put an end to my favorite hiding spot.

When pentesting web applications, it can often feel a bit like hide and seek. We are trying to find vulnerabilities that aren’t always easily spotted. Maybe it’s a specific parameter that will allow us Cross-Site Scripting (XSS), or something is broken within the authorization process that lets us access an area we shouldn’t be able to, finding these vulnerabilities all depends on our knowledge and ability to seek and find. One of the first steps to an effective web test is putting greater focus into the reconnaissance process.

Web Reconnaissance

When dealing with web applications, it pays to spend time searching every nook and cranny for some of the more interesting findings. Sometimes testers fail to take advantage of the reconnaissance process and quickly breeze through. With some modifications, the initial recon process can yield some interesting results. After all, you can’t find vulnerabilities in code you never test!

Enumerating the Framework

One of the first steps should be to figure out what framework is running, and any back end information on the web server. With this knowledge, we can research the framework for security issues along with any potential issues that might be present for the web server. It’s still very common for responses to contain unnecessary version information, such as the Server header below. With this information, an attacker can research more specific attacks against a target.

Often, this can also help us identify the primary language the application has been written in, such as when a PHP, or ASP.NET banner is displayed.

Using extensions such as Wappalyzer can help us see all kinds of details regarding the application.

File and Directory Enumeration

After researching the framework, make sure to update any existing word lists, used for directory and file enumeration, to include specific configuration files that are associated. For example, Vue.js which is a common JavaScript web framework used for UI has a file structure as shown in the image below.

Sometimes its even worth it to download the framework used and install it on a test web server to see how it works, and to get an idea of the directory structure. Don’t forget to include extensions like: old, bak, back, etc… You might find some backup copies during the enumeration process. Pipe that into whichever tool you’re using, such as Gobuster or FFuf, however Burp’s discovery tool can also be pretty effective.

Old and New

If you notice you are testing a specific version of an API, don’t forget to try and access older and newer versions. Older versions usually have bugs which were fixed in the current version, and newer versions often have bugs that need addressing. In the example below, I can edit the URL for web app and change the v2 to v1, or v3, which might yield interesting results.

Conclusion

Even though recon can feel like a boring drawn out task, putting more effort into it can yield dividends, and can open up more potential attack paths. Taking the time to research the target framework, and tailoring wordlists can be an effective way at upping your recon game. Who knows what vulnerabilities are hiding just waiting to be found?

About Stuart Rorer, Security Consultant

Stuart has worked in the IT Industry for more than twenty years and has worked within Cyber Security for the past twelve. In the past he has held jobs in the education, government, and private sector, and for the last few years has specialized in web application penetration testing. Stuart has performed testing on clients in all sectors, many of which have been in the Fortune 500. He enjoys spending time in research and exploring new penetration testing tactics, and techniques.

Certifications:

CPT, ECPPT, ECSA, CEH, SEC+