Page 41 - Hands-On Bug Hunting for Penetration Testers
P. 41

Choosing Your Hunting Ground                                                Chapter 2

            The Vulnerability of Web

            Applications ` What You Should Target


            Once you've narrowed down the program you're going to participate in d or maybe you've
            skipped that and are just plowing through random sites, looking for easy pickings d you
            can start evaluating individual applications for testing.

            Doing so requires an understanding of each application's attack surface. As a quick
            refresher, Wikipedia sums it up succinctly:

                 The attack surface of a software environment is the sum of the different points (the attack
                 vectors) where an unauthorized user (the attacker) can try to enter data to or extract data
                 from an environment.

            We'll get into actual Attack Surface Analysis in the next chapter, preparing for an
            engagement, but it helps to have a simple idea of it while evaluating different options.

            Using that definition of an attack surface and understanding that the larger the attack
            surface, the more opportunities there are to discover bugs, means we'll want to look for
            apps that have a lot of entry and exit points for information, ideally ones that are available
            to anonymous or otherwise not-logged-in users. Social media sites, or blogs and forums
            that allow anonymous commenters, are all input-rich environments, where the different
            types of posts, comments, reactions, and so on, provide many different vectors for possibly
            malicious information to enter the system.
            Sites or applications with smaller attack surfaces obviously provide fewer opportunities to
            find vulnerabilities. A completely static site, where a web server is providing the
            HTML/CSS markup with no user data input, and no server-side language is interpreting or
            dynamically creating the site's content, is much more difficult to pentest with the aim of
            successfully discovering vulnerabilities d there are only so many ways the user can affect
            the site.

            And as discussed briefly earlier in the chapter, web applications d regardless of type d that
            are protected by large security teams, exposed to large user bases, audited actively by other
            researchers, or all three, are the least likely to be fruitful hunting grounds. All of these
            factors combine to create a general portrait of a site's potential: a niche social network with
            a lot of opportunities for users to interact with the site and each other, created by a small
            startup, will be an easier target than a static site hosted on an Amazon S3 bucket, where
            there are no opportunities for user input and the security of the service is managed by a
            large, dedicated team.




                                                    [ 26 ]
   36   37   38   39   40   41   42   43   44   45   46