1
00:00:10,550 --> 00:00:17,690
Let us conclude this section by saying the Web application penetration testing methodology, like we

2
00:00:17,690 --> 00:00:23,240
have seen different types of attacks, but how to carry out and what steps should we use these attacks

3
00:00:23,600 --> 00:00:25,970
to perform a proper penetration test?

4
00:00:27,320 --> 00:00:34,460
Now, Web application and testing is used to identify, analyze and report vulnerabilities such as input

5
00:00:34,460 --> 00:00:41,720
validation, buffer overflow, good injection, bypassing authentication, code execution in a given

6
00:00:41,720 --> 00:00:42,370
application.

7
00:00:42,830 --> 00:00:50,330
The best way to conduct a penetration test is to perform a series of methodical and repeatable tests

8
00:00:50,600 --> 00:00:54,440
and to work through all the different application vulnerabilities.

9
00:00:55,310 --> 00:01:00,500
The obvious question is why do we need the application penetration testing?

10
00:01:01,070 --> 00:01:03,650
First, identification of ports.

11
00:01:03,920 --> 00:01:06,950
Second, remediation of vulnerabilities.

12
00:01:06,950 --> 00:01:09,920
And third, verification of vulnerabilities.

13
00:01:11,780 --> 00:01:16,820
Now we will see the workflow of the application penetration testing.

14
00:01:17,480 --> 00:01:19,480
The first is to define an object.

15
00:01:20,090 --> 00:01:23,880
You should define the objective and scope of your penetration test.

16
00:01:24,470 --> 00:01:31,760
The next is information gathering fields when you get information related to the target domain website.

17
00:01:32,600 --> 00:01:39,830
Then this configuration management testing, authentication testing or authorization testing.

18
00:01:40,310 --> 00:01:41,930
Session management testing.

19
00:01:42,530 --> 00:01:50,120
Denial-of-service testing, data validation testing, business logic testing, lipservice testing,

20
00:01:50,540 --> 00:01:51,880
Ajax's testing.

21
00:01:52,220 --> 00:01:57,310
And then finally, you have to document all these findings and to prepare a report.

22
00:01:58,630 --> 00:02:02,860
Now, let us see how to perform information gathering, penetration testing.

23
00:02:04,570 --> 00:02:12,160
First, analyze the Roubaud not to file, which means allowed and disallowed directories, now retrieve

24
00:02:12,160 --> 00:02:22,990
and analyze Roubaud file using tools such as Jianyu WGL, then use the advanced site search operator

25
00:02:22,990 --> 00:02:30,070
and then click cached to perform InGen recognisance, use different types of search engines like Shodan,

26
00:02:30,310 --> 00:02:36,010
Doctor, Google and etc and others to perform the footprinting of the application.

27
00:02:37,150 --> 00:02:44,820
The next is identified application entry points identify application entry points using tools such as

28
00:02:44,920 --> 00:02:47,860
the grab BOPE suite or apps.

29
00:02:47,860 --> 00:02:54,960
Zap temporary or tamper data for Firefox then is to identify the web applications.

30
00:02:54,970 --> 00:03:01,240
That is true before you are allowed to do dictionary style searching both on vulnerability scanning,

31
00:03:01,240 --> 00:03:03,670
using tools such as and map analysis.

32
00:03:04,630 --> 00:03:12,520
Implement techniques such as a DNS zone, transpose DNS inverse queries, Web based DNS searches, Google

33
00:03:12,520 --> 00:03:21,190
Dorking and etc. analyze error codes by requesting invalid pages and utilize alternate request methods

34
00:03:21,490 --> 00:03:25,060
in order to collect confidential information from the server.

35
00:03:26,050 --> 00:03:31,300
Examine the source code from the accessible pages of the application frontin.

36
00:03:32,170 --> 00:03:39,190
Test for recognized file types, extension directories by requesting common file extensions such as

37
00:03:39,490 --> 00:03:48,430
dot, ASV, dot, html, dot, BHP, Dot EXI and watch for any unusual output of error codes.

38
00:03:49,640 --> 00:03:56,010
Perform PXP ICMP unserviced fingerprinting using traditional fingerprinting tools such as in.

39
00:03:57,760 --> 00:04:06,880
Use information gathering tools like tree track harvester Oystein, defraying, multicore together Ashmore's

40
00:04:06,880 --> 00:04:08,690
as information possible.

41
00:04:09,460 --> 00:04:15,880
Next is to find out the server side technology that is being deployed by the Web application using built

42
00:04:15,880 --> 00:04:18,220
with Web Archive and others.

43
00:04:18,940 --> 00:04:24,020
Then you can find domains in subdomains using the oil and the tools or DNS dumpster.

44
00:04:24,610 --> 00:04:29,980
Do not forget to document all these findings after the information gathering phase.

45
00:04:31,820 --> 00:04:41,270
Next comes authentication testing in this try to reset passwords by getting social engineering or cracking

46
00:04:41,270 --> 00:04:43,430
secret questions, check.

47
00:04:43,430 --> 00:04:50,120
If I remember, my password mechanism is implemented by checking the HTML call of the login page.

48
00:04:51,170 --> 00:04:55,170
Check if it is possible to reuse a session after log out.

49
00:04:55,820 --> 00:05:03,410
Also, check if the application automatically logs out of a user, then that user has been idle for

50
00:05:03,410 --> 00:05:08,870
a certain amount of time and that no sensitive data remains stored in the browser cache.

51
00:05:09,850 --> 00:05:16,950
Identify all the parameters that are sent in addition to the decoded capture value from the client to

52
00:05:16,950 --> 00:05:25,250
the server, and then try to send an all decoded capture value with an all capture ID of an all session

53
00:05:25,260 --> 00:05:25,610
idee.

54
00:05:27,180 --> 00:05:33,210
Check if users hold a hardware device of some kind, in addition to the password, check of the hardware

55
00:05:33,210 --> 00:05:39,600
device communicates directly and independently with the authentication infrastructure using an additional

56
00:05:39,600 --> 00:05:40,710
communication channel.

57
00:05:41,580 --> 00:05:47,850
And finally, I turn to, for a race condition, make multiple simultaneous requests while observing

58
00:05:47,850 --> 00:05:55,680
the outcome for unexpected behavior, both on the court review and then finally document all the findings.

59
00:05:57,010 --> 00:05:59,470
Next is session management testing.

60
00:06:01,140 --> 00:06:07,740
Collect sufficient number of cookie samples, analyze the cookie generation algorithm and forge a valid

61
00:06:07,740 --> 00:06:10,760
cookie in order to perform the attack.

62
00:06:11,930 --> 00:06:20,490
Test for cookie attributes using intercepting proxies such as whips, crab bulbs, sweet or upset or

63
00:06:20,510 --> 00:06:22,550
traffic intercepting browsers.

64
00:06:23,530 --> 00:06:30,460
To test for Session's fixation, make a request to the site to be tested and then analyze vulnerabilities

65
00:06:30,700 --> 00:06:32,440
using the Web scrap tool.

66
00:06:33,600 --> 00:06:42,120
Test for exposed session labels by inspecting encryption and reuse of Session Tolkan and Proxy's and

67
00:06:42,120 --> 00:06:42,660
Gashing.

68
00:06:44,210 --> 00:06:51,020
Examine the world in the restricted area to test for cross site request forgery, that is Kiselev.

69
00:06:52,250 --> 00:06:55,670
Finally, do not forget to document all the findings.

70
00:06:56,630 --> 00:07:06,830
The next is authorization testing here test for patha travel by performing the input that enumeration

71
00:07:06,830 --> 00:07:11,810
and analyzing the input validation functions to present in the application.

72
00:07:12,730 --> 00:07:19,060
Test for bypassing passing authorization schema by examining the admin functionalities to gain access

73
00:07:19,060 --> 00:07:27,120
to the resource assigned to a different rule check if attacker can gain privileges by using privileges,

74
00:07:27,120 --> 00:07:34,690
escalation tools and attacks, and also check for parameter tampering when their abilities finally do

75
00:07:34,690 --> 00:07:35,590
not forget.

76
00:07:35,650 --> 00:07:37,420
Document all the findings.

77
00:07:39,410 --> 00:07:47,120
So this was the perfect method to how to carry out a penetration test, if you are more interested in

78
00:07:47,120 --> 00:07:54,080
knowing I have attached a book for a Web application, you can refer that it is really a long book of,

79
00:07:54,650 --> 00:08:03,010
I guess, 800 or 900 pages, but it really covers the Web application penetration testing in very detail.

80
00:08:03,080 --> 00:08:06,800
And most other security experts refer to that book.

81
00:08:07,190 --> 00:08:12,920
So do not forget to write a review for our cause if you are really liking our course.

82
00:08:13,250 --> 00:08:21,260
Please do not forget to leave a review as it will really help us to create more courses and add different

83
00:08:21,740 --> 00:08:27,350
lectures to this interesting ethical ethical hacking course.

84
00:08:27,710 --> 00:08:35,780
So do not forget to like the video and please share a review and please share your experience through

85
00:08:36,770 --> 00:08:37,730
the review option.

86
00:08:38,180 --> 00:08:44,750
I will see you in the next lecture where we are going to discuss the preventive measures that we can

87
00:08:44,750 --> 00:08:48,430
take to prevent a Web application from facing an attack.