WEBVTT 0:00:03.600000 --> 0:00:11.440000 The OAS web security testing guide, also known as the WSTG in abbreviated 0:00:11.440000 --> 0:00:13.960000 format or in abbreviated form. 0:00:13.960000 --> 0:00:17.880000 So in this video we're going to be taking a look at arguably one of the 0:00:17.880000 --> 0:00:24.060000 most useful, but still sadly underused resources when it comes down to 0:00:24.060000 --> 0:00:26.820000 web application penetration testers. 0:00:26.820000 --> 0:00:31.020000 Now this particular resource that I'm going to share with you right now 0:00:31.020000 --> 0:00:38.440000 will probably increase your attack intelligence with regards to targeting 0:00:38.440000 --> 0:00:40.800000 web applications by almost 50%. 0:00:40.800000 --> 0:00:45.920000 Now you may be sitting there wondering to yourself, you know, what kind 0:00:45.920000 --> 0:00:48.900000 of lies are you spitting to a select? 0:00:48.900000 --> 0:00:53.320000 Well, there's a way I can sort of back myself up here and it's not really 0:00:53.320000 --> 0:00:57.420000 any of my work, although I will be showing you what you can do with this 0:00:57.420000 --> 0:00:58.540000 particular resource. 0:00:58.540000 --> 0:01:02.620000 And now you can adapt it to your own requirements, but I've specifically 0:01:02.620000 --> 0:01:07.500000 mentioned two aspects of the same tool or the same resource. 0:01:07.500000 --> 0:01:12.080000 You may have heard me mention in the previous video the OASP web security 0:01:12.080000 --> 0:01:15.900000 testing guide and the web security testing checklist. 0:01:15.900000 --> 0:01:19.960000 All right. Now I'll explain the difference between the two, but it should 0:01:19.960000 --> 0:01:22.880000 become apparent, you know, what the difference is. 0:01:22.880000 --> 0:01:27.460000 But to begin with, what is the OASP web security testing guide? 0:01:27.460000 --> 0:01:32.820000 The OASP web security testing guide, also known as WSTG, is a comprehensive 0:01:32.820000 --> 0:01:38.420000 and community driven resource provided by the open web application security 0:01:38.420000 --> 0:01:41.040000 project, also known as OASP. 0:01:41.040000 --> 0:01:43.000000 Absolutely fantastic contribution. 0:01:43.000000 --> 0:01:48.280000 The guide aims to help security professionals, developers and organizations 0:01:48.280000 --> 0:01:53.420000 conduct effective web application security assessments by providing a 0:01:53.420000 --> 0:01:58.960000 structured and systematic approach to testing web applications for certain 0:01:58.960000 --> 0:02:04.600000 or for specific security vulnerabilities and outlays the techniques that 0:02:04.600000 --> 0:02:09.320000 can be performed in order to essentially identify and consequently exploit 0:02:09.320000 --> 0:02:12.320000 these vulnerabilities or said vulnerabilities. 0:02:12.320000 --> 0:02:17.300000 So what we have here is pretty much, I would say, I'm not never going 0:02:17.300000 --> 0:02:21.320000 to say something is 100% what you're looking for if you're looking for 0:02:21.320000 --> 0:02:25.360000 a methodology to start with, but this is a pretty good option. 0:02:25.360000 --> 0:02:30.280000 So it pretty much serves as a practical and hands-on reference for planning, 0:02:30.280000 --> 0:02:35.860000 executing and reporting on web application security testing activities. 0:02:35.860000 --> 0:02:40.580000 And you now may ask the question again, what is the OASP web security 0:02:40.580000 --> 0:02:42.660000 testing guide checklist? 0:02:42.660000 --> 0:02:47.760000 The OASP web security testing checklist is a spreadsheet based checklist 0:02:47.760000 --> 0:02:51.960000 that can be used to help you track the status of completed and pending 0:02:51.960000 --> 0:02:55.700000 test cases. All right, so you may be a little bit confused still as to 0:02:55.700000 --> 0:02:58.480000 why are you making us open spreadsheets? 0:02:58.480000 --> 0:03:02.380000 Well, just hold on and I'll show you how useful this is. 0:03:02.380000 --> 0:03:07.100000 This checklist is based on the OASP web security testing guide and includes 0:03:07.100000 --> 0:03:10.920000 a comprehensive penetration testing methodology or framework. 0:03:10.920000 --> 0:03:15.380000 It really should be thought of as a framework that web app testers can 0:03:15.380000 --> 0:03:18.140000 implement in the appent tests or security assessments. 0:03:18.140000 --> 0:03:23.320000 It also provides a set of detailed and granular web app security tests 0:03:23.320000 --> 0:03:27.540000 that outline the various techniques that can be used to test the most 0:03:27.540000 --> 0:03:32.520000 common web application misconfigurations, flaws or vulnerabilities. 0:03:32.520000 --> 0:03:36.100000 When and when I say test, I mean identify an exploit. 0:03:36.100000 --> 0:03:41.260000 Moreover, the checklist also contains, and this is what I love, the OASP 0:03:41.260000 --> 0:03:46.180000 risk assessment calculator and the summary findings template, an absolutely 0:03:46.180000 --> 0:03:51.380000 phenomenal resource for anyone getting into web application security testing 0:03:51.380000 --> 0:03:54.540000 or web application penetration testing. 0:03:54.540000 --> 0:03:58.960000 So you may be asking yourself, where can I find the guide and the actual 0:03:58.960000 --> 0:04:03.860000 checklist? Now, before you go ahead and try and find the actual checklist 0:04:03.860000 --> 0:04:09.940000 spreadsheet, it is very important that you pair it with the guide. 0:04:09.940000 --> 0:04:15.220000 The best companions with regards to how they work with each other and 0:04:15.220000 --> 0:04:19.160000 how the guide complements the actual checklist and how you can always 0:04:19.160000 --> 0:04:23.680000 refer to the guide when you don't understand a particular check or a particular 0:04:23.680000 --> 0:04:26.640000 test within the actual spreadsheet. 0:04:26.640000 --> 0:04:32.980000 So, again, before you run off and download it, the actual guide itself 0:04:32.980000 --> 0:04:36.960000 is something I'm going to focus on first and then you'll see why the natural 0:04:36.960000 --> 0:04:42.480000 evolution or there is a natural evolution to move to the actual checklist. 0:04:42.480000 --> 0:04:46.160000 But you'll always be returning back to the guide because it's firstly, 0:04:46.160000 --> 0:04:47.820000 it's free, it's open source. 0:04:47.820000 --> 0:04:52.080000 And as I said, if you want to learn about web application security, this 0:04:52.080000 --> 0:04:54.340000 is the resource I can point you towards. 0:04:54.340000 --> 0:04:58.340000 So before we actually end, I'm going to switch over into my browser and 0:04:58.340000 --> 0:05:00.000000 show you where you can find this information. 0:05:00.000000 --> 0:05:04.060000 And I'm going to then also highlight some really cool things that you 0:05:04.060000 --> 0:05:06.680000 can do, and this will come naturally to you. 0:05:06.680000 --> 0:05:10.380000 So with that being said, let me switch over to my browser and let's stop 0:05:10.380000 --> 0:05:13.260000 the chat and get started. 0:05:13.260000 --> 0:05:17.480000 All right, so I am back in my browser and again back to Google, and we 0:05:17.480000 --> 0:05:22.200000 want to search for the OASP web security testing guide. 0:05:22.200000 --> 0:05:24.340000 And of course, you can see it in there. 0:05:24.340000 --> 0:05:26.500000 And it's going to pretty much be the first link. 0:05:26.500000 --> 0:05:28.040000 Don't click on any of the other versions. 0:05:28.040000 --> 0:05:32.920000 I'll explain why the versioning is important both to OASP and why it should 0:05:32.920000 --> 0:05:37.680000 be important to you and why I am still on version 4 for some reason. 0:05:37.680000 --> 0:05:39.620000 But you can see you click on it. 0:05:39.620000 --> 0:05:44.700000 It takes you to a similar page like the OASP top 10 documentation page. 0:05:44.700000 --> 0:05:48.180000 But the first thing I want to do is go through their definition because 0:05:48.180000 --> 0:05:49.400000 it's really important. 0:05:49.400000 --> 0:05:55.260000 So the web application or the web security testing guide project produces 0:05:55.260000 --> 0:05:59.700000 the premier cybersecurity testing resource for web application developers 0:05:59.700000 --> 0:06:02.400000 and security professionals. 0:06:02.400000 --> 0:06:06.600000 And by the way, the reason they can use this word is because it really 0:06:06.600000 --> 0:06:13.940000 is the premier. So the WSTG is a comprehensive guide to testing the security 0:06:13.940000 --> 0:06:15.720000 of web applications and services. 0:06:15.720000 --> 0:06:19.680000 It was created by the collaborative efforts of cybersecurity professionals 0:06:19.680000 --> 0:06:22.740000 and dedicated volunteers. 0:06:22.740000 --> 0:06:27.920000 The WSTG provides a framework of best practices used by penetration testers 0:06:27.920000 --> 0:06:30.820000 and organizations all over the world. 0:06:30.820000 --> 0:06:34.020000 And you can take a look at the stable release right over here. 0:06:34.020000 --> 0:06:37.520000 And I'll tell you that they're currently developing the release version 0:06:37.520000 --> 0:06:39.400000 5. So that's not yet out. 0:06:39.400000 --> 0:06:42.860000 But you can take a look at the version releases below this. 0:06:42.860000 --> 0:06:46.780000 All right. Now one thing you'll note is that there's multiple ways of 0:06:46.780000 --> 0:06:51.500000 accessing these guides or even, for example, the OASP top 10 list as you 0:06:51.500000 --> 0:06:53.120000 saw in the previous video. 0:06:53.120000 --> 0:06:56.880000 The best way is to take a look at the sidebar to the right. 0:06:56.880000 --> 0:07:00.120000 And you can also take a look at the release versions right over here. 0:07:00.120000 --> 0:07:05.060000 So the latest release, as of me recording this video, is version 4.2. 0:07:05.060000 --> 0:07:08.140000 All right. And it gives you a change log as to what changed. 0:07:08.140000 --> 0:07:13.120000 So it says version 4.2 introduces new testing scenarios. 0:07:13.120000 --> 0:07:14.420000 Keep that in mind. 0:07:14.420000 --> 0:07:18.840000 Updates existing chapters and offers an improved writing style and chapter 0:07:18.840000 --> 0:07:19.880000 layout. All right. 0:07:19.880000 --> 0:07:23.540000 You can download the PDF there, which is what I recommend. 0:07:23.540000 --> 0:07:29.680000 Alternatively, you can also take a look at the actual latest version right 0:07:29.680000 --> 0:07:34.180000 over here. So if I open that up in a new tab, that's going to take you 0:07:34.180000 --> 0:07:35.840000 to the latest version. 0:07:35.840000 --> 0:07:39.440000 And this is the actual online version that you can read within your browser. 0:07:39.440000 --> 0:07:41.940000 So as I said, it's completely free. 0:07:41.940000 --> 0:07:45.100000 And you can go ahead and take a look at the table of contents. 0:07:45.100000 --> 0:07:50.620000 Now, I typically like reading the PDF version, because it's much easier 0:07:50.620000 --> 0:07:52.160000 and I can transfer it over to my other side. 0:07:52.160000 --> 0:07:54.580000 I've got an iPad and read it at night. 0:07:54.580000 --> 0:08:00.460000 That's just a joke, but in any case, I know it sounds like I really love 0:08:00.460000 --> 0:08:02.420000 this, but it'll become clear why. 0:08:02.420000 --> 0:08:07.080000 So you can click on download the actual web security testing guide right 0:08:07.080000 --> 0:08:10.780000 over there. And in this case, this is the actual PDF. 0:08:10.780000 --> 0:08:15.120000 So it's 465 pages, 100% free. 0:08:15.120000 --> 0:08:18.980000 And thank you, Ellie, Sad and Rick Mitchell. 0:08:18.980000 --> 0:08:23.060000 And you know, what I've said or what I stated is displayed right over 0:08:23.060000 --> 0:08:27.940000 here, that you're free to share, copy, distribute and transmit the work, 0:08:27.940000 --> 0:08:31.780000 to remix and adapt the work under the following condition. 0:08:31.780000 --> 0:08:36.040000 So you need to obviously provide attribution and share a like. 0:08:36.040000 --> 0:08:39.120000 If you alter, transform or build upon this work, you may distribute the 0:08:39.120000 --> 0:08:44.040000 resulting work under only under the same name, similar or compatible license, 0:08:44.040000 --> 0:08:47.840000 which means you can take this and sell this book or modify a few things 0:08:47.840000 --> 0:08:53.100000 and sell it because that would essentially go against the original license. 0:08:53.100000 --> 0:08:56.860000 But the way this is sorted, and I'm not going to dive too deep into this, 0:08:56.860000 --> 0:09:00.980000 but the way it's sorted is that you have an introduction section that 0:09:00.980000 --> 0:09:04.540000 will outline the OAS testing project and its objectives, the principles 0:09:04.540000 --> 0:09:09.920000 of testing, testing techniques explained, manual inspections and reviews, 0:09:09.920000 --> 0:09:13.160000 threat modeling, exactly what we highlighted in our methodology earlier 0:09:13.160000 --> 0:09:19.040000 on. Source code review, penetration testing, the need for a balanced approach, 0:09:19.040000 --> 0:09:25.320000 rightfully so. Deriving security test requirements, security tests integrated 0:09:25.320000 --> 0:09:27.660000 in development and testing workflows. 0:09:27.660000 --> 0:09:32.720000 So that's very useful for developers and security test data analysis and 0:09:32.720000 --> 0:09:36.840000 reporting. You then have the actual chapter that focuses on the OAS testing 0:09:36.840000 --> 0:09:38.920000 framework in and of itself. 0:09:38.920000 --> 0:09:43.280000 That outlines the web security testing framework and then breaks down 0:09:43.280000 --> 0:09:48.960000 multiple phases with regards to before development begins during definition 0:09:48.960000 --> 0:09:52.580000 and design, during development, during deployment, during maintenance 0:09:52.580000 --> 0:09:58.220000 and operations and the typical STLC testing workflow and then penetration 0:09:58.220000 --> 0:10:02.220000 testing methodologies and then dives into web application security testing 0:10:02.220000 --> 0:10:05.560000 or really web app and testing, if I can say so. 0:10:05.560000 --> 0:10:10.800000 And then right over here, if I zoom out or actually zoom in a little bit, 0:10:10.800000 --> 0:10:14.540000 it then breaks down the various phases included or involved in web app 0:10:14.540000 --> 0:10:17.280000 security testing, like information gathering. 0:10:17.280000 --> 0:10:22.480000 Now, it doesn't just tell you to perform information gathering, it will 0:10:22.480000 --> 0:10:25.400000 break it down into a set of tests that you can perform. 0:10:25.400000 --> 0:10:31.380000 So for example, conduct search engine discovery reconnaissance for information 0:10:31.380000 --> 0:10:36.860000 leakage. Let's say we are a web app and test and we want to follow this 0:10:36.860000 --> 0:10:40.160000 methodology and again, don't worry, you don't have to go through the guide 0:10:40.160000 --> 0:10:45.520000 in a PDF format and constantly refer to different pages or different chapters. 0:10:45.520000 --> 0:10:47.520000 That's where the checklist comes into play. 0:10:47.520000 --> 0:10:49.220000 So let's just click on this here. 0:10:49.220000 --> 0:10:53.420000 Now, it's going to give you an ID and pay attention to this ID because 0:10:53.420000 --> 0:10:56.980000 it's very important and you can actually reference it in your web app 0:10:56.980000 --> 0:11:01.680000 testing report. This is what I love about it because it tells you, you 0:11:01.680000 --> 0:11:06.040000 know, it will firstly give you a summary and then the test objectives, 0:11:06.040000 --> 0:11:10.740000 how to test the search engines to utilize in the case of using Google 0:11:10.740000 --> 0:11:16.220000 Docs and the search operators to use and also provides you with examples 0:11:16.220000 --> 0:11:21.520000 and, you know, how to view cache content, Google hacking or docking and 0:11:21.520000 --> 0:11:27.160000 remediation. So let's take a look at it as an example, right? 0:11:27.160000 --> 0:11:29.120000 And I'll just briefly explore it. 0:11:29.120000 --> 0:11:33.240000 So in order for search engines to work, computer programs or robots regularly 0:11:33.240000 --> 0:11:35.900000 fetch data referred to as crawling. 0:11:35.900000 --> 0:11:38.740000 And by the way, you can also click on crawling to learn what that is. 0:11:38.740000 --> 0:11:42.840000 So everything is hyperlinked so that if you don't know the definition 0:11:42.840000 --> 0:11:46.860000 of a term directly to Wikipedia or even other sources. 0:11:46.860000 --> 0:11:51.700000 But like, for example, they choose the best answers, you know, around 0:11:51.700000 --> 0:11:56.320000 the internet to answer specific questions or in response to specific questions 0:11:56.320000 --> 0:11:57.700000 and then hyperlink them. 0:11:57.700000 --> 0:11:59.380000 How cool is that? 0:11:59.380000 --> 0:12:03.860000 So, you know, fetch data, commonly referred to as crawling from billions 0:12:03.860000 --> 0:12:06.400000 of web pages or pages on the web. 0:12:06.400000 --> 0:12:11.200000 These programs find content and functionality by following links from 0:12:11.200000 --> 0:12:14.940000 other pages, etc, etc, to look for site maps. 0:12:14.940000 --> 0:12:20.280000 If a website uses a special file called robots.txt to list pages that 0:12:20.280000 --> 0:12:24.080000 it does not want search engines to fetch, then the pages listed there 0:12:24.080000 --> 0:12:25.140000 will be ignored. 0:12:25.140000 --> 0:12:29.060000 What that means is you'll not be able to find those pages via Google searches. 0:12:29.060000 --> 0:12:30.920000 This is a basic overview. 0:12:30.920000 --> 0:12:35.960000 Google offers a more in-depth explanation of how a search engine works. 0:12:35.960000 --> 0:12:39.680000 Testers can use search engines to perform reconnaissance on websites and 0:12:39.680000 --> 0:12:41.400000 web applications. 0:12:41.400000 --> 0:12:45.760000 They are direct and indirect elements to search engine discovery and reconnaissance. 0:12:45.760000 --> 0:12:50.160000 Direct methods relate to searching the indexes and the associated content 0:12:50.160000 --> 0:12:54.580000 from caches, while indirect methods relate to learning sensitive design 0:12:54.580000 --> 0:12:58.960000 and configuration information by searching forums, news groups and tendering 0:12:58.960000 --> 0:13:03.260000 websites. Once a search engine robot has completed crawling, it commences 0:13:03.260000 --> 0:13:07.300000 the indexing of the web content based on the tags and the associated attributes 0:13:07.300000 --> 0:13:11.300000 such as title in order to return relevant search results. 0:13:11.300000 --> 0:13:15.080000 So, if the robots.txt file is not updated during the lifetime of the website 0:13:15.080000 --> 0:13:20.260000 and inline HTML meta tags that instruct robots not to index content have 0:13:20.260000 --> 0:13:25.100000 not been used, then it is possible for indexes to contain web content 0:13:25.100000 --> 0:13:28.180000 not intended to be included by the owners. 0:13:28.180000 --> 0:13:33.820000 Website owners may have used the previously mentioned robots.txt, HTML 0:13:33.820000 --> 0:13:37.720000 meta tags authentication and tools provided by the search engines to remove 0:13:37.720000 --> 0:13:41.980000 such content. So, it's essentially telling you how to find this info. 0:13:41.980000 --> 0:13:45.420000 And in terms of the objectives, identify what sensitive design and configuration 0:13:45.420000 --> 0:13:50.040000 information of the application system organization is exposed, how to 0:13:50.040000 --> 0:13:54.400000 test it. And again, this is just reconnaissance, but it'll tell you, as 0:13:54.400000 --> 0:13:58.080000 I said, the search engines to use, the search operators to learn more 0:13:58.080000 --> 0:14:03.740000 about, to actually learn more about a particular website and then viewing 0:14:03.740000 --> 0:14:06.240000 cached content and so on and so forth. 0:14:06.240000 --> 0:14:10.600000 And I can go, I can actually go through this all day, but let's take a 0:14:10.600000 --> 0:14:11.960000 look at something even more interesting. 0:14:11.960000 --> 0:14:19.240000 Like, for example, fingerprinting the web application, let's see, let's 0:14:19.240000 --> 0:14:21.620000 look for something a little bit better. 0:14:21.620000 --> 0:14:24.600000 Like, for example, the web server. 0:14:24.600000 --> 0:14:28.720000 All right, so now this is something that you'll typically see. 0:14:28.720000 --> 0:14:32.800000 Web server fingerprinting is the task of identifying the type and version 0:14:32.800000 --> 0:14:35.320000 of the web server that the target is running on. 0:14:35.320000 --> 0:14:39.900000 While web server fingerprinting is often encapsulated in automated testing 0:14:39.900000 --> 0:14:43.520000 tools, it is important for researchers to understand the fundamentals 0:14:43.520000 --> 0:14:47.580000 of how these tools attempt to identify software and why it is useful. 0:14:47.580000 --> 0:14:51.500000 So, test objectives determine the version and type of web server to enable 0:14:51.500000 --> 0:14:53.780000 further discovery of other known vulnerabilities. 0:14:53.780000 --> 0:14:55.420000 The first technique is banner grabbing. 0:14:55.420000 --> 0:14:59.840000 We actually took a look at this in this course where we took the actual 0:14:59.840000 --> 0:15:03.340000 response header for the response header. 0:15:03.340000 --> 0:15:05.500000 In this case, we'll server, right? 0:15:05.500000 --> 0:15:07.120000 And that's one technique. 0:15:07.120000 --> 0:15:10.400000 And then you can go ahead and take a look at other techniques like sending 0:15:10.400000 --> 0:15:14.660000 malformed requests, still playing around with requests and responses and 0:15:14.660000 --> 0:15:20.220000 then using automated scanning tools like Nicto, NetCraft, NMap, absolutely 0:15:20.220000 --> 0:15:24.400000 phenomenal. Now, one thing I want to point out, which you guys will really 0:15:24.400000 --> 0:15:30.380000 love, is the next course within this learning path is focused on information 0:15:30.380000 --> 0:15:37.220000 gathering, enumeration and reconnaissance, and it follows this exact methodology. 0:15:37.220000 --> 0:15:41.100000 So, in terms of performing search engine discovery, fingerprinting the 0:15:41.100000 --> 0:15:45.740000 web server, both manually and automatically, enumerating applications, 0:15:45.740000 --> 0:15:46.600000 all of that good stuff. 0:15:46.600000 --> 0:15:49.880000 So, I'm just going to take a look at one final example, and then we'll 0:15:49.880000 --> 0:15:52.960000 take a look at the checklist and some of the cool things that you can 0:15:52.960000 --> 0:15:58.160000 do there. So, for example, when we'll be exploring the process of testing 0:15:58.160000 --> 0:16:05.320000 HTTP methods or verbs within the testing for common attacks course, we'll 0:16:05.320000 --> 0:16:09.100000 pretty much be following a similar type of methodology with regards to 0:16:09.100000 --> 0:16:13.140000 the objectives and how we're going to go about performing the tests. 0:16:13.140000 --> 0:16:16.520000 But you can see, it also tells you that you can do it with NMap. 0:16:16.520000 --> 0:16:20.700000 If you didn't know that, you can also play around with testing the port 0:16:20.700000 --> 0:16:23.860000 method right over here to see if you can upload a file. 0:16:23.860000 --> 0:16:28.100000 You can also test for access control bypasses and how to do that as well, 0:16:28.100000 --> 0:16:30.940000 testing for cross-site tracing potentials. 0:16:30.940000 --> 0:16:35.340000 So, if you remember, we covered the HTTP request methods or verbs as they're 0:16:35.340000 --> 0:16:41.620000 called. And you can also take a look at the remediation options and the 0:16:41.620000 --> 0:16:42.920000 references right over here. 0:16:42.920000 --> 0:16:47.160000 So, the point that I'm trying to make is, in addition to having broken 0:16:47.160000 --> 0:16:53.380000 down pretty much most of the most important phases of a web app pen test, 0:16:53.380000 --> 0:16:59.320000 this can be used by both an attacker or a bug bounty hunter or a web application 0:16:59.320000 --> 0:17:02.720000 developer or someone trying to secure a web application. 0:17:02.720000 --> 0:17:06.640000 Right? So, again, it's broken down into various phases that we touched 0:17:06.640000 --> 0:17:10.720000 on in the first video within this section. 0:17:10.720000 --> 0:17:12.480000 So, identity management testing. 0:17:12.480000 --> 0:17:15.860000 So, if you didn't know what that was about, this is the perfect PDF for 0:17:15.860000 --> 0:17:20.420000 you. Authentication testing, authorization testing, session management 0:17:20.420000 --> 0:17:22.820000 testing, input validation testing. 0:17:22.820000 --> 0:17:27.040000 And now, it's broken down right over here testing for SQL injection. 0:17:27.040000 --> 0:17:28.240000 This is what is really cool. 0:17:28.240000 --> 0:17:33.660000 They know that SQL injection is specific to the backend database being 0:17:33.660000 --> 0:17:40.460000 the backend database running behind or the backend database being used 0:17:40.460000 --> 0:17:42.680000 by the web application. 0:17:42.680000 --> 0:17:47.760000 And it highlights different techniques or tests and objectives for relational 0:17:47.760000 --> 0:17:53.700000 databases like MySQL, SQL Server, PostgreSQL, Microsoft Access, and then 0:17:53.700000 --> 0:17:55.700000 also performing no SQL injection. 0:17:55.700000 --> 0:18:00.200000 The thing that I love is that it actually provides you the beautiful summary 0:18:00.200000 --> 0:18:05.300000 and then goes into, for example, testing for no SQL injection vulnerabilities 0:18:05.300000 --> 0:18:10.820000 in Mongo. Gives you different examples, multiple examples in fact. 0:18:10.820000 --> 0:18:16.460000 And then the references are the phenomenal resources and this could also 0:18:16.460000 --> 0:18:18.540000 include white papers as you can see here. 0:18:18.540000 --> 0:18:23.880000 Now, the final thing I'll touch on in the guide is pretty much the topmost 0:18:23.880000 --> 0:18:29.260000 process that will sort of highlight the principles of testing. 0:18:29.260000 --> 0:18:33.080000 And you can start off with Chapter 3, for example, that's usually a good 0:18:33.080000 --> 0:18:34.600000 place to start off. 0:18:34.600000 --> 0:18:40.120000 And this is more so for web application security professionals and developers. 0:18:40.120000 --> 0:18:46.200000 But essentially it outlines the secure development process that you can 0:18:46.200000 --> 0:18:51.180000 implement before you begin developing the web application, so on and so 0:18:51.180000 --> 0:18:55.240000 forth. And in addition to that, you can also take a look at the resource 0:18:55.240000 --> 0:18:57.360000 right over here. 0:18:57.360000 --> 0:19:01.380000 Let me see if I can show you the pen testing methodologies. 0:19:01.380000 --> 0:19:05.400000 So you can see that they also have other guides like the mobile security 0:19:05.400000 --> 0:19:08.700000 testing guide and the firmware security testing methodology. 0:19:08.700000 --> 0:19:12.960000 There's also mention of the penetration testing execution standard and 0:19:12.960000 --> 0:19:18.580000 it outlines the methodology specified by the penetration testing execution 0:19:18.580000 --> 0:19:22.060000 standard right over here. 0:19:22.060000 --> 0:19:27.880000 And you can also take a look at the penetration testing framework. 0:19:27.880000 --> 0:19:31.640000 So, you know, that's another methodology we didn't explore, but that has 0:19:31.640000 --> 0:19:37.680000 specific methodologies for different types of pen tests that you're performing. 0:19:37.680000 --> 0:19:42.980000 So, for example, you know, we can actually take a look at it, but you 0:19:42.980000 --> 0:19:44.480000 know, this is also highlighted here. 0:19:44.480000 --> 0:19:46.280000 So it's a phenomenal resource. 0:19:46.280000 --> 0:19:50.440000 And what you can do just as a final one within the guide here, just to 0:19:50.440000 --> 0:19:55.740000 sort of solidify what I'm talking about, I pointed out that you need to 0:19:55.740000 --> 0:20:00.400000 pay attention to the ID because the ID is referenced in the actual checklist 0:20:00.400000 --> 0:20:05.880000 spreadsheet. So if we take a look at this right over here reporting, we'll 0:20:05.880000 --> 0:20:09.700000 be exploring reporting, but if you click on reporting, it pretty much 0:20:09.700000 --> 0:20:15.520000 highlights how to go about submitting a report and this or how to create 0:20:15.520000 --> 0:20:20.640000 a report. So, you know, version control, table of contents, the team, 0:20:20.640000 --> 0:20:24.120000 the scope, the limitations, the timeline, the disclaimer, the executive 0:20:24.120000 --> 0:20:28.740000 summary, how to structure your findings, which is pretty cool if you ask 0:20:28.740000 --> 0:20:33.300000 me. And there's also other, you know, references to other resources that 0:20:33.300000 --> 0:20:37.120000 you can use. And there's also an appendix right over here. 0:20:37.120000 --> 0:20:40.580000 And the testing tools resource, it highlights, you know, all the tools 0:20:40.580000 --> 0:20:45.340000 mentioned within all of the tests, like ZAP, BERP Suite, BERP Proxy for 0:20:45.340000 --> 0:20:49.260000 your browser, Firefox, Tampa data. 0:20:49.260000 --> 0:20:53.300000 We also have the cookie editor and then testing for specific vulnerabilities, 0:20:53.300000 --> 0:20:59.440000 like in this particular case, you know, utilizing SQL map on this case, 0:20:59.440000 --> 0:21:03.940000 the actual tool and so on and so forth and then gives you, you know, commercial 0:21:03.940000 --> 0:21:06.880000 black box testing tools that you can take a look at. 0:21:06.880000 --> 0:21:10.120000 So point is, this is really, really comprehensive. 0:21:10.120000 --> 0:21:15.900000 Now, what I wanted to highlight specifically is the actual checklist, 0:21:15.900000 --> 0:21:19.160000 right? And you can find the checklist by going back to the actual homepage 0:21:19.160000 --> 0:21:24.220000 here for the Web Security Testing Guide and going into the GitHub repository. 0:21:24.220000 --> 0:21:26.160000 That's the home of the project. 0:21:26.160000 --> 0:21:29.300000 And once you're in here, you can see that, you know, it's pretty much, 0:21:29.300000 --> 0:21:35.260000 just give you the similar description and it will also highlight the same 0:21:35.260000 --> 0:21:39.320000 information that is highlighted on the actual main project page. 0:21:39.320000 --> 0:21:45.020000 But you may be asking yourself, where can I find this, this promised checklist? 0:21:45.020000 --> 0:21:49.140000 Well, you can find that under the checklist folder right over here. 0:21:49.140000 --> 0:21:54.100000 And that's going to be a Excel sheet that corresponds to the latest version 0:21:54.100000 --> 0:21:56.340000 of the Security Testing Guide. 0:21:56.340000 --> 0:22:00.360000 All right. And as it'll say right over here, that contained in this folder 0:22:00.360000 --> 0:22:03.400000 is an Excel file, which provides the following worksheets. 0:22:03.400000 --> 0:22:07.640000 There is a testing checklist, which facilitates simple progress tracking 0:22:07.640000 --> 0:22:10.000000 against each of the tests outlined in the guide. 0:22:10.000000 --> 0:22:14.620000 There's also summary findings, which facilitates creating a table of test 0:22:14.620000 --> 0:22:16.400000 outcomes and potential recommendations. 0:22:16.400000 --> 0:22:20.940000 There is the really cool risk assessment calculator, which is a drop down 0:22:20.940000 --> 0:22:25.840000 ribbon sheet for calculating likelihood and impact scores and qualitative 0:22:25.840000 --> 0:22:32.020000 overall risk rating specifically to do with business impact. 0:22:32.020000 --> 0:22:37.640000 Because when performing the test, it would be business specific or environment 0:22:37.640000 --> 0:22:40.700000 specific and then references. 0:22:40.700000 --> 0:22:44.640000 And you can see that it's based on, and this is very important, it's based 0:22:44.640000 --> 0:22:48.300000 on version 4.2 of the OS testing guide. 0:22:48.300000 --> 0:22:54.000000 And this particular checklist is also available in Markdown format and 0:22:54.000000 --> 0:22:56.600000 in Google Sheets as well. 0:22:56.600000 --> 0:22:59.720000 What I'm going to be taking a look at is the Excel format. 0:22:59.720000 --> 0:23:00.900000 So I've already downloaded it. 0:23:00.900000 --> 0:23:05.800000 Let me just open it up and we'll then go through how to use it. 0:23:05.800000 --> 0:23:11.540000 All right. So I have just opened up the official OS testing guide version 0:23:11.540000 --> 0:23:16.940000 4.2 checklist. And as it said within the GitHub repository, you're going 0:23:16.940000 --> 0:23:22.480000 to be presented with multiple sheets for primarily this the testing checklist. 0:23:22.480000 --> 0:23:26.520000 The summary findings shall give you a table, which is very useful for 0:23:26.520000 --> 0:23:30.320000 reporting the risk assessment calculator, which I'll show you how to use 0:23:30.320000 --> 0:23:32.440000 as well as references. 0:23:32.440000 --> 0:23:36.280000 All right. So within the testing checklist, this is where all the magic 0:23:36.280000 --> 0:23:38.440000 happens and what I really wanted to show you. 0:23:38.440000 --> 0:23:43.580000 So if you remember, when we're referring to the guide, we could see that 0:23:43.580000 --> 0:23:47.000000 it had an ID and this is where, you know, within the checklist, there 0:23:47.000000 --> 0:23:50.860000 is a direct corresponding link to that particular test referenced. 0:23:50.860000 --> 0:23:54.940000 And it's ID. So you can always go back to the testing guide if it's the 0:23:54.940000 --> 0:23:58.480000 correct version you're using and you'll be able to see the, you know, 0:23:58.480000 --> 0:24:04.880000 the actual, the same ID and the same test name under its appropriate section. 0:24:04.880000 --> 0:24:10.280000 So we have information gathering configuration and deploy deployment management 0:24:10.280000 --> 0:24:14.500000 testing, identity management testing, authentication testing, so on and 0:24:14.500000 --> 0:24:18.860000 so forth, pretty much a match or a like for like match in terms of what 0:24:18.860000 --> 0:24:20.660000 was in the guide and how it's structured. 0:24:20.660000 --> 0:24:25.660000 Now, the cool thing is here is that it pretty much gives you a really 0:24:25.660000 --> 0:24:29.640000 cool way of going about performing this, because imagine if I'm performing 0:24:29.640000 --> 0:24:33.300000 a web app and test here, well, you know, I may not want to do this right 0:24:33.300000 --> 0:24:38.080000 over here. Like, for example, these, these particular tests, I can just 0:24:38.080000 --> 0:24:42.460000 ignore them and I'll show you how I typically do it based on the objectives 0:24:42.460000 --> 0:24:45.560000 and the scope agreed on with my, with my client. 0:24:45.560000 --> 0:24:48.860000 But even with a bug bounty test, this is sort of a great way of making 0:24:48.860000 --> 0:24:53.960000 sure that you are performing the most thorough test on the web application. 0:24:53.960000 --> 0:24:56.540000 So, for example, I could start off here. 0:24:56.540000 --> 0:24:59.460000 It says, conduct search engine discovery, reconnaissance for information 0:24:59.460000 --> 0:25:05.040000 leakage. Okay, I can identify, I can then refer back to the actual guide 0:25:05.040000 --> 0:25:06.840000 if I wanted to learn more. 0:25:06.840000 --> 0:25:10.160000 But if I'm experienced, I can say, I can then play around with the status 0:25:10.160000 --> 0:25:16.180000 here. So, I can say this is currently, this was successful. 0:25:16.180000 --> 0:25:19.920000 And then I can provide some notes based on what I found. 0:25:19.920000 --> 0:25:22.220000 I can attach links to resources. 0:25:22.220000 --> 0:25:26.220000 And you can do this for pretty much all pen tests that you're doing. 0:25:26.220000 --> 0:25:30.080000 You can create a new sheet or, you know, just duplicate the same sheet. 0:25:30.080000 --> 0:25:32.940000 And then, you know, I can go maybe here, fingerprint web server. 0:25:32.940000 --> 0:25:35.860000 That was successful. 0:25:35.860000 --> 0:25:37.700000 Review web server, meta files. 0:25:37.700000 --> 0:25:41.460000 This is specifically, you know, any hidden files or anything like that, 0:25:41.460000 --> 0:25:45.240000 that failed, for example, or we experienced issues. 0:25:45.240000 --> 0:25:47.940000 By the way, you can change the status drop downs. 0:25:47.940000 --> 0:25:49.580000 That's entirely up to you. 0:25:49.580000 --> 0:25:52.220000 And I'll show you what I did in my case. 0:25:52.220000 --> 0:25:53.980000 Enumerate applications. 0:25:53.980000 --> 0:25:57.740000 This one is a pass and, you know, so on and so forth. 0:25:57.740000 --> 0:26:01.200000 And the point is I can easily refer back to the guide, you know, just 0:26:01.200000 --> 0:26:06.040000 by navigating to the guide and then searching for the, the actual ID here. 0:26:06.040000 --> 0:26:12.620000 So WSDG in 403. And the reason why this ID is important is because if 0:26:12.620000 --> 0:26:16.160000 you highlight it in the report, let's say you said, you say that, you 0:26:16.160000 --> 0:26:21.520000 know, you performed, you know, some, you performed WSDG in 403. 0:26:21.520000 --> 0:26:24.800000 And you say, you know, review web server, meta files for information leakage. 0:26:24.800000 --> 0:26:27.820000 You don't even need to add this, but it's good, you know, it's always 0:26:27.820000 --> 0:26:29.080000 good to include it in the report. 0:26:29.080000 --> 0:26:30.860000 But you don't need to add it. 0:26:30.860000 --> 0:26:35.740000 The web developer or the security team will already know what you're talking 0:26:35.740000 --> 0:26:38.780000 about because they can easily just refer to it. 0:26:38.780000 --> 0:26:42.520000 And the only thing ideally you need to do within the report is highlight, 0:26:42.520000 --> 0:26:47.480000 you know, this particular vulnerability or this particular test and what 0:26:47.480000 --> 0:26:50.520000 you found with regards to the web application you're performing the pen 0:26:50.520000 --> 0:26:55.780000 test on. But in terms of information and the fact that this is a really 0:26:55.780000 --> 0:27:01.020000 cool knowledge base that is widely used now within the industry, you can 0:27:01.020000 --> 0:27:04.980000 pretty much just use the IDs to communicate tests or, you know, what you 0:27:04.980000 --> 0:27:09.080000 perform now. The one thing I'd like to point out regarding the tests and 0:27:09.080000 --> 0:27:14.360000 the checklist is by no means am I saying this is the holy grail of methodologies. 0:27:14.360000 --> 0:27:17.940000 I'm just saying that firstly, it is structured. 0:27:17.940000 --> 0:27:20.720000 Secondly, it is methodological. 0:27:20.720000 --> 0:27:25.540000 Thirdly, it contains very good documentation. 0:27:25.540000 --> 0:27:30.800000 Fourthly, everything is sorted in a way that makes sense. 0:27:30.800000 --> 0:27:35.940000 And lastly, it will introduce you to techniques that you weren't aware 0:27:35.940000 --> 0:27:47.900000 of. For example, let me show you here, like LDAP injection. 0:27:47.900000 --> 0:27:50.240000 I wasn't sure what that was, right? 0:27:50.240000 --> 0:27:54.300000 And as a result of this, I was able to refer to the guide and I was able 0:27:54.300000 --> 0:27:55.460000 to learn more about it. 0:27:55.460000 --> 0:28:00.020000 So how to identify LDAP injection points and then assess or essentially 0:28:00.020000 --> 0:28:03.700000 exploit the upper form LDAP injection. 0:28:03.700000 --> 0:28:09.580000 And again, this sheet can be changed or can be updated or augmented depending 0:28:09.580000 --> 0:28:11.120000 on your own requirements. 0:28:11.120000 --> 0:28:15.060000 And typically what I like doing is after we've agreed on the objectives 0:28:15.060000 --> 0:28:19.060000 and scope. Depending on that, you know, I can say that, okay, this is 0:28:19.060000 --> 0:28:24.140000 all green here, which means it's all good to test right over here. 0:28:24.140000 --> 0:28:28.120000 It doesn't mean that it's passed or I can use something like, you know, 0:28:28.120000 --> 0:28:31.900000 the following accent color, like light blue. 0:28:31.900000 --> 0:28:36.800000 And then all the ones that I'm not going to perform, you know, all the 0:28:36.800000 --> 0:28:39.660000 tests I'm not going to run like these ones, just as an example. 0:28:39.660000 --> 0:28:43.700000 I typically use like a gray shading like so. 0:28:43.700000 --> 0:28:48.240000 And ideally I could also just hide them here, although that's, I really 0:28:48.240000 --> 0:28:50.940000 don't recommend doing that, but you can just hide them. 0:28:50.940000 --> 0:28:55.120000 And you can, you know, mix and match and play around with this as a basis 0:28:55.120000 --> 0:28:56.180000 for your own methodology. 0:28:56.180000 --> 0:29:00.180000 And that's the point that I wanted to make and where my excitement was 0:29:00.180000 --> 0:29:02.380000 essentially placed. 0:29:02.380000 --> 0:29:04.340000 So that's one aspect, right? 0:29:04.340000 --> 0:29:09.520000 As I said, you can expand and add as many, you can add as many columns 0:29:09.520000 --> 0:29:12.540000 as you want. And I'll show you what my version is. 0:29:12.540000 --> 0:29:16.160000 And then you have the summary findings where you can go ahead and specify 0:29:16.160000 --> 0:29:21.860000 the number of findings here, the vulnerability name. 0:29:21.860000 --> 0:29:27.480000 And again, you can change this, the OTG or the web security testing guide 0:29:27.480000 --> 0:29:34.440000 ID. So in this particular case, WSDG INP-V05, the affected host or path 0:29:34.440000 --> 0:29:35.700000 you put in the URL. 0:29:35.700000 --> 0:29:38.120000 So think of this as your log for all your activity. 0:29:38.120000 --> 0:29:41.600000 If you like taking notes when performing pen testing, which is, you know, 0:29:41.600000 --> 0:29:46.280000 what I assume you do, spreadsheets are highly and frequently used. 0:29:46.280000 --> 0:29:52.020000 You then have the impact, the likelihood, the risk, and then the observational 0:29:52.020000 --> 0:29:53.960000 implication and then the recommendation. 0:29:53.960000 --> 0:30:02.700000 Now, these three factors here are not really taken from this calculator. 0:30:02.700000 --> 0:30:06.140000 Okay? They are taken from what I had highlighted in the introduction to 0:30:06.140000 --> 0:30:12.500000 OASP video, where the impact likelihood and risk for specific risks or 0:30:12.500000 --> 0:30:18.060000 vulnerabilities was outlined right over there for you based on the analysis 0:30:18.060000 --> 0:30:22.640000 they did and the data that they received from, you know, participants 0:30:22.640000 --> 0:30:24.960000 who actually sent them data. 0:30:24.960000 --> 0:30:29.120000 So what you need to do now, you know, you can put in your observation, 0:30:29.120000 --> 0:30:32.820000 implication, the recommendation, and then the test ID. 0:30:32.820000 --> 0:30:35.340000 So that's useful for organization. 0:30:35.340000 --> 0:30:41.020000 Now, in terms of the risk assessment calculator, this is where now you 0:30:41.020000 --> 0:30:44.300000 can go ahead and play with the likelihood factors. 0:30:44.300000 --> 0:30:51.520000 And if you remember when I was, when I introduced you to the actual OASP 0:30:51.520000 --> 0:30:56.960000 top 10, there were two columns that were left blank and were essentially, 0:30:56.960000 --> 0:31:01.680000 you know, the threat agent factors, technical impact factors, the business 0:31:01.680000 --> 0:31:05.000000 impact factors, and the vulnerability factors. 0:31:05.000000 --> 0:31:08.480000 Okay? So for each of these, you're going to have drop downs. 0:31:08.480000 --> 0:31:11.240000 Now, let's say you're trying to calculate likelihood factors. 0:31:11.240000 --> 0:31:15.500000 So you'd essentially get the data contained within the OASP top 10. 0:31:15.500000 --> 0:31:17.660000 So, you know, skills required. 0:31:17.660000 --> 0:31:23.520000 We can say in this particular case, and this will also, you will be adding 0:31:23.520000 --> 0:31:27.920000 this info based on your assessment as the pen tester. 0:31:27.920000 --> 0:31:33.360000 So you can say, for example, yeah, you know, this particular vulnerability 0:31:33.360000 --> 0:31:36.640000 just requires some technical skills, okay? 0:31:36.640000 --> 0:31:41.780000 Because it's fairly easy to exploit or to identify. 0:31:41.780000 --> 0:31:43.580000 And then the motive, right? 0:31:43.580000 --> 0:31:45.940000 So what's the possible motive? 0:31:45.940000 --> 0:31:50.820000 You know, is it low, no reward, possible reward, high reward, possible 0:31:50.820000 --> 0:31:55.300000 reward? In terms of the opportunity, we can click on it here. 0:31:55.300000 --> 0:32:00.760000 This refers to, you know, if we take a look at the examples, full access 0:32:00.760000 --> 0:32:05.000000 or expensive resources required, essentially referring to, you know, whether 0:32:05.000000 --> 0:32:07.840000 any specific resources are required. 0:32:07.840000 --> 0:32:13.580000 So in this case, we can say no access or resources required apart from, 0:32:13.580000 --> 0:32:18.500000 you know, apart from just having some technical skills. 0:32:18.500000 --> 0:32:23.100000 In terms of the population size, by the way, you can always take a look 0:32:23.100000 --> 0:32:26.120000 at the actual reference point there, which I'll show you where you can 0:32:26.120000 --> 0:32:29.480000 find for the risk assessment calculator. 0:32:29.480000 --> 0:32:35.180000 But we can say this will affect, this is asking you, you know, what is 0:32:35.180000 --> 0:32:40.160000 the affected population in terms of the actual organization users with 0:32:40.160000 --> 0:32:43.160000 regards to the depth of the attack and the scale of the attacks. 0:32:43.160000 --> 0:32:50.780000 So we can say this will affect, let's say, anonymous internet users, okay? 0:32:50.780000 --> 0:33:00.120000 Now, vulnerability factors, ease of discovery, we can set that to automated 0:33:00.120000 --> 0:33:02.060000 tools available. 0:33:02.060000 --> 0:33:08.480000 Ease of exploit is easy, the awareness right over here. 0:33:08.480000 --> 0:33:10.980000 This is obviously public knowledge. 0:33:10.980000 --> 0:33:15.220000 I'm just using a sample SQL injection vulnerability. 0:33:15.220000 --> 0:33:20.780000 So again, this is very important that I state this is in relation to a 0:33:20.780000 --> 0:33:27.200000 specific SQL injection vulnerability that we have exploited on the target 0:33:27.200000 --> 0:33:28.860000 web application. 0:33:28.860000 --> 0:33:33.240000 And we're now taking in our experiences, web app testers to calculate 0:33:33.240000 --> 0:33:38.220000 the actual likelihood or the risk posed by this particular vulnerability. 0:33:38.220000 --> 0:33:44.400000 Right. And we can say intrusion detection. 0:33:44.400000 --> 0:33:50.180000 This is now more specific for, you know, more specific for the defensive 0:33:50.180000 --> 0:33:55.220000 side, but we can say that in this case, really, they could be potential 0:33:55.220000 --> 0:33:58.700000 logging, but we can say log, log without review. 0:33:58.700000 --> 0:34:01.520000 Okay, the likelihood score now is seven. 0:34:01.520000 --> 0:34:04.580000 And the impact score is 3.375. 0:34:04.580000 --> 0:34:07.520000 So this section here is for the impact. 0:34:07.520000 --> 0:34:10.960000 So you have technical impact, which you can extrapolate from, you know, 0:34:10.960000 --> 0:34:13.040000 the actual right over here. 0:34:13.040000 --> 0:34:17.100000 So you can see how much data could be disclosed and how sensitive it is. 0:34:17.100000 --> 0:34:21.520000 In this case, because it's SQL injection, we can say extensive critical 0:34:21.520000 --> 0:34:25.380000 data, loss of integrity. 0:34:25.380000 --> 0:34:29.400000 Yes, that's very high loss of availability. 0:34:29.400000 --> 0:34:31.360000 We can say not really. 0:34:31.360000 --> 0:34:32.740000 So you can say minimal. 0:34:32.740000 --> 0:34:36.880000 Actually, a SQL injection is a little bit more than that. 0:34:36.880000 --> 0:34:41.700000 We can say extensive primary services because the attacker could potentially 0:34:41.700000 --> 0:34:45.020000 delete tables from the database loss of accountability. 0:34:45.020000 --> 0:34:52.200000 Other threat agents actions traceable to an individual. 0:34:52.200000 --> 0:34:56.840000 No, attack completely anonymous financial damage. 0:34:56.840000 --> 0:35:04.820000 We can say this will have a significant effect. 0:35:04.820000 --> 0:35:07.480000 We then have the reputation damage. 0:35:07.480000 --> 0:35:14.380000 This could lead to, you know, the loss of major accounts, I would say. 0:35:14.380000 --> 0:35:21.740000 And then the noncompliance, we can say that this is a high profile violation. 0:35:21.740000 --> 0:35:23.260000 You can always refer to the notes here. 0:35:23.260000 --> 0:35:27.340000 So how much exposure does the noncompliance introduce? 0:35:27.340000 --> 0:35:30.280000 Privacy violation. 0:35:30.280000 --> 0:35:33.000000 Thousands of people, let's say. 0:35:33.000000 --> 0:35:36.280000 So you know, if the likelihood score and impact score, the overall risk 0:35:36.280000 --> 0:35:37.660000 severity is critical. 0:35:37.660000 --> 0:35:42.120000 Just for that one, that one test that we had run, which was a SQL injection 0:35:42.120000 --> 0:35:44.340000 vulnerability we discovered. 0:35:44.340000 --> 0:35:49.580000 So based on how you're able to find and exploit the vulnerability and 0:35:49.580000 --> 0:35:53.760000 what comes after the post exploitation, you can go and say, yeah, this 0:35:53.760000 --> 0:35:55.760000 was fairly easy to do. 0:35:55.760000 --> 0:35:58.660000 In terms of the motive, why would someone do this? 0:35:58.660000 --> 0:36:01.540000 There's a possible, you know, reward, obviously. 0:36:01.540000 --> 0:36:05.000000 It'll probably be, you know, a high reward given that if you're doing 0:36:05.000000 --> 0:36:09.080000 SQL injection is, you know, to, you know, an attacker would do it to exfiltrate 0:36:09.080000 --> 0:36:10.400000 data or to damage data. 0:36:10.400000 --> 0:36:16.440000 In terms of the opportunity, you know, we can say that no access or resources 0:36:16.440000 --> 0:36:19.600000 were required really apart from just some tools. 0:36:19.600000 --> 0:36:25.520000 Population, you know, this would affect pretty much, in this case, anonymous 0:36:25.520000 --> 0:36:28.720000 internet users, and you get the idea. 0:36:28.720000 --> 0:36:31.740000 And then you can also take a look at this right over here, the impact 0:36:31.740000 --> 0:36:35.460000 matrix, which is against, you know, impact and likelihood. 0:36:35.460000 --> 0:36:39.160000 So in this particular case, we can see that here. 0:36:39.160000 --> 0:36:43.240000 And the overall risk severity is set to critical. 0:36:43.240000 --> 0:36:46.540000 So this is really cool because you can include it in your report and we're 0:36:46.540000 --> 0:36:50.140000 going to take a look at how to include this information in your report 0:36:50.140000 --> 0:36:55.200000 as we progress. So that concludes this first section. 0:36:55.200000 --> 0:36:59.120000 Now, I mentioned that I've created my own spreadsheet with just a few 0:36:59.120000 --> 0:37:01.800000 added improvements for Web App End Tester. 0:37:01.800000 --> 0:37:03.860000 So let me switch over to my version. 0:37:03.860000 --> 0:37:06.860000 All right. So this is the one that I developed. 0:37:06.860000 --> 0:37:12.620000 Now, please note that this one is designed or I built it for the Web Security 0:37:12.620000 --> 0:37:15.660000 Testing Guide version 4.0. 0:37:15.660000 --> 0:37:21.720000 So it does not apply to 4.2 or even 4.1 with regards to the Web Security 0:37:21.720000 --> 0:37:23.920000 Testing Guide ID here. 0:37:23.920000 --> 0:37:27.560000 But one of the first things you'll notice is that I've broken down each 0:37:27.560000 --> 0:37:33.200000 section or each category or each phase of the methodology into its own 0:37:33.200000 --> 0:37:37.620000 page. And this is how I typically like doing it because, you know, I can 0:37:37.620000 --> 0:37:48.100000 rename it to the actual name or the actual W SDG ID, but more so the what 0:37:48.100000 --> 0:37:53.840000 comes after the prefix W SDG, which is, you know, the type of tests, like 0:37:53.840000 --> 0:37:57.780000 in this case, configuration and deployment management testing, which refers 0:37:57.780000 --> 0:38:04.180000 directly or points directly to that particular configuration here. 0:38:04.180000 --> 0:38:08.580000 And this has been hyperlinked to the actual online guide in my particular 0:38:08.580000 --> 0:38:13.720000 case. And right over here, you can see that you have the test name. 0:38:13.720000 --> 0:38:15.040000 So I haven't changed that. 0:38:15.040000 --> 0:38:16.540000 There's also the description. 0:38:16.540000 --> 0:38:20.900000 But what I've added now is the actual tools that you can use as a Web 0:38:20.900000 --> 0:38:27.020000 App End Tester to test this particular to perform this test or test. 0:38:27.020000 --> 0:38:31.200000 So I also have the CWE right over here. 0:38:31.200000 --> 0:38:36.240000 And then I've also added a column for the results, which in my case was 0:38:36.240000 --> 0:38:40.800000 just very simple, whether, you know, it was a pass or whether there was 0:38:40.800000 --> 0:38:44.080000 an issue. So if it's an issue, it's now color coded in red. 0:38:44.080000 --> 0:38:46.400000 If it's a pass, it's in green, which I like. 0:38:46.400000 --> 0:38:49.520000 And then the affected item or the affected system. 0:38:49.520000 --> 0:38:52.120000 And then for the status, you know, that can be changed. 0:38:52.120000 --> 0:38:55.260000 And I also added a reference right over here. 0:38:55.260000 --> 0:38:58.280000 But that can be customized to your own liking. 0:38:58.280000 --> 0:39:02.720000 So for example, you know, in the case of testing for file extensions handling 0:39:02.720000 --> 0:39:07.620000 for sensitive information, you can see right over here the tools to use 0:39:07.620000 --> 0:39:09.800000 our Nikto, De Search or Fuff. 0:39:09.800000 --> 0:39:17.080000 I also added a link to the OS top 10 2021 in terms of where this falls 0:39:17.080000 --> 0:39:20.520000 in terms of the categories firstly, but also there. 0:39:20.520000 --> 0:39:22.500000 They are the current order. 0:39:22.500000 --> 0:39:26.120000 So you can just say, a one and then refer to the OS top 10 and see where 0:39:26.120000 --> 0:39:30.080000 this falls. And this would be the 2021. 0:39:30.080000 --> 0:39:33.200000 So this would be broken access control. 0:39:33.200000 --> 0:39:37.760000 And that's, you know, just the general sorting and I've done this for. 0:39:37.760000 --> 0:39:43.520000 I've pretty much done this for for all of those sections or types of tests 0:39:43.520000 --> 0:39:46.580000 all the way to API testing. 0:39:46.580000 --> 0:39:51.960000 And then there's also the web security testing guide sorting in terms 0:39:51.960000 --> 0:39:57.600000 of the different categories or sections and how this aligns to the CWE 0:39:57.600000 --> 0:40:00.620000 right over here or the CWE type. 0:40:00.620000 --> 0:40:04.620000 So, you know, you can see CWE 200 exposure of sensitive information to 0:40:04.620000 --> 0:40:08.080000 an unauthorized actor and all of that good stuff. 0:40:08.080000 --> 0:40:11.480000 The other modification I made. 0:40:11.480000 --> 0:40:14.940000 And again, I'm just giving you an idea as to what you can make this. 0:40:14.940000 --> 0:40:18.620000 This can become a very useful tool for you and even your organization. 0:40:18.620000 --> 0:40:23.520000 So this is the reporting template in my particular case or the summary 0:40:23.520000 --> 0:40:26.320000 template, if you will, where, you know, I can change the risk likelihood 0:40:26.320000 --> 0:40:27.580000 and impact here. 0:40:27.580000 --> 0:40:32.420000 The OS top 10 mapping, which is very useful in reporting the observation 0:40:32.420000 --> 0:40:37.300000 and implication, the recommendation and the POC or the proof of concept, 0:40:37.300000 --> 0:40:42.140000 which I call test evidence, which you will most likely include in a report. 0:40:42.140000 --> 0:40:48.100000 So this is what I use for web app pen testing and even bug bounty hunting. 0:40:48.100000 --> 0:40:52.600000 It's very easy this way because I can just start from here and I can, 0:40:52.600000 --> 0:40:55.820000 you know, I can decide what I don't want to do based on the scope, for 0:40:55.820000 --> 0:41:00.020000 example. And then, you know, just go through it sequentially report what 0:41:00.020000 --> 0:41:04.620000 I'm finding and then assign a risk or calculate the risk fairly easily. 0:41:04.620000 --> 0:41:08.360000 So again, in my case, the calculator is just, you know, just has a border 0:41:08.360000 --> 0:41:12.240000 around it and, you know, just makes it better to look at. 0:41:12.240000 --> 0:41:17.600000 And in terms of the actual dropdowns here, what I've added here or changed 0:41:17.600000 --> 0:41:21.240000 is the actual addition of security penetration skills. 0:41:21.240000 --> 0:41:24.940000 And you can see the motive here that stays the same. 0:41:24.940000 --> 0:41:28.080000 We take a look at the opportunity that stays the same. 0:41:28.080000 --> 0:41:32.020000 What we've added here, in terms of the changes, let me see if I can remember. 0:41:32.020000 --> 0:41:35.520000 There we are so ease of discover, ease of discovery. 0:41:35.520000 --> 0:41:38.360000 I don't think I made any changes there. 0:41:38.360000 --> 0:41:41.580000 In terms of awareness, nothing made there. 0:41:41.580000 --> 0:41:47.940000 I think I made changes on this side of things where it, at least in my 0:41:47.940000 --> 0:41:49.040000 use case, there we are. 0:41:49.040000 --> 0:41:54.320000 So this is referring to integrity and essentially using terms that would 0:41:54.320000 --> 0:41:56.120000 make sense to a web app and tester. 0:41:56.120000 --> 0:41:59.020000 So, you know, a corruption of data. 0:41:59.020000 --> 0:42:04.300000 Of course, you don't have to follow my model, but I think here we also 0:42:04.300000 --> 0:42:10.280000 had some modifications to one of these ones and with regards to business 0:42:10.280000 --> 0:42:15.060000 impact. Like, for example, let's see. 0:42:15.060000 --> 0:42:17.300000 I can't remember. 0:42:17.300000 --> 0:42:22.000000 But yeah, I essentially made a couple of modifications and that's my implementation 0:42:22.000000 --> 0:42:27.360000 of the web security testing guide with regards to the actual checklist. 0:42:27.360000 --> 0:42:33.920000 And yeah, you guys can take inspiration from this or I'll possibly add 0:42:33.920000 --> 0:42:37.320000 it as a resource to this particular video so you can access it and then, 0:42:37.320000 --> 0:42:38.500000 you know, take it from there. 0:42:38.500000 --> 0:42:42.300000 But I would highly recommend starting from the base template, which is 0:42:42.300000 --> 0:42:45.900000 the, you know, the base checklist and then building it based on your requirements 0:42:45.900000 --> 0:42:50.960000 because you may not like the format or how I've set up my columns, so 0:42:50.960000 --> 0:42:51.780000 on and so forth. 0:42:51.780000 --> 0:42:54.640000 With that being said, that's going to conclude the practical demo section 0:42:54.640000 --> 0:43:01.660000 of this video. All right, so that was the web security testing guide and 0:43:01.660000 --> 0:43:03.860000 checklist and hopefully you found that useful. 0:43:03.860000 --> 0:43:08.500000 I hope you'll be using that same checklist throughout this particular 0:43:08.500000 --> 0:43:14.060000 course and will not cost this actual learning path and certification because 0:43:14.060000 --> 0:43:15.360000 it will be useful. 0:43:15.360000 --> 0:43:20.700000 It is also a very useful resource to utilize within the actual exam because 0:43:20.700000 --> 0:43:25.940000 it can help you stay organized and we'll talk a little bit about a little 0:43:25.940000 --> 0:43:31.280000 bit more about documenting your findings and obviously reporting as we 0:43:31.280000 --> 0:43:35.680000 progress. But in the next video, we're going to be touching on pretty 0:43:35.680000 --> 0:43:41.300000 much the actual phases of the pen test that come before the actual engagement 0:43:41.300000 --> 0:43:45.820000 begins and what comes after so that is pre engagement. 0:43:45.820000 --> 0:43:50.400000 And we'll then talk about reporting and that will conclude the course. 0:43:50.400000 --> 0:43:53.900000 The reason why we're using this approach is because if we started from 0:43:53.900000 --> 0:43:57.900000 pre engagement, it would not make much sense because we would then refer 0:43:57.900000 --> 0:44:04.760000 in sort of a. We would refer to elements that we had not yet discussed, 0:44:04.760000 --> 0:44:08.340000 so I wanted to discuss those elements or topics first and then move on 0:44:08.340000 --> 0:44:14.220000 to the actual phases that come before and after a pen test so with that 0:44:14.220000 --> 0:44:17.420000 being said, that's going to be it for this video and I'll be seeing you 0:44:17.420000 --> 0:44:18.540000 in the next video.