Many information that you can benefit from are available publicly about the
functionality and content outside the website those information can be reached
through search engines and cached copies , a post on development forum or
using web archives like the one exist on www.archive.org
To be able to use search engines effectively try to use the special search features
like the following that can be namely used with google:
Site: www.theExploredSite which return all references indexed by google.
Site: www.theExploredSite login that returns all pages containing login
Link: www.theExploredSite returns all pages on other websites that has link to
that specific site.
Related: www.theExploredSite returns similar web pages.
Another valuable source of information is special purpose search engines that
embed some intelligence dedicated to retrieve a specific type of information.
Melissa Data can help you freely gather information on people associated with a
target web application this kind of information sometimes hold higher level of
importance to the attacker than technical information.to enrich the retrieved
result using an open source tool like Maltego can be irresistible, where Maltego
helps visualize the relationships among people, organizations, web sites, Internet
infrastructure can aid in information gathering, and it can find affiliations
between components within an organization. Even with information as simple as
a domain name or an IP address, it can query publicly available records to
discover connections.
Use web server vulnerabilities:
Lot of software used frequently on web server are deployed with default
configuration, folder structure and file locations which makes it good place to dig
for some information.
Brute force approach is also used in checking vulnerabilities in known set of
third party application and web server modules.an example about a good tool for
that purpose is WIKTO
Mapping parameters:
Parameters can be mapped sometimes directly if it was sent through query
string like in:
http://myWebSite/addUser.php?name=sami&mobile=0987655441
If application is using URLs after rewriting parameters as part of the slash
separated string a trial to change or remove values should take place with
assessment of generated response.
For hidden parameters guessing is the only way as example the assessment of
the existence of (debug) parameters that helps developer to test pages and
bypass the authentication process.
Documenting your findings:
When trying to map and profile the application you will get a lot of information
specially if you are using multiple tools and approaches, organizing your results
and deciding which are relevant is very important in order to be able to analyses
that information later on.
Using matrix and charts can be very helpful..
Also the usage of diagrams that represent the web site is essential to understand
different functionalities.it is also preferable to give different color to static and
dynamic pages where static pages are those pages that does not involve and
server side executable contents like files with html extension.
Include the diagram the structure of web site with available passed parameters
Other Information that should be documented in addition to pages’ information
are Directory structure, common file extension, any content based on plugin like
flash or silver lite or java virtual machine like applet, common cookies and query
string and parameters.
0 comments: