Page 42 - Hands-On Bug Hunting for Penetration Testers
P. 42
Choosing Your Hunting Ground Chapter 2
With the concept of an application's attack surface in mind, some areas make for natural
points of interest. OWASP categorizes the different types of attack points to help better
model a site's risk:
Admin interfaces
Inquiries and search functions
Data-entry (CRUD) forms
Business workflows
Transactional interfaces/APIs
Operational command and monitoring interfaces/APIs
Interfaces with other applications/systems
And of course many other actions that allow for user input. These are all opportunities to
check for poor data-handling techniques and mishandled sanitization procedures.
As the web becomes more mature, applications become entangled in dependencies and
subsidiary services. Those points of contact d APIs d are also great weakpoints to probe in
any engagement. A slightly different set of techniques is required than testing through the
UI of an application. For example, while testing an application's UI, you might look for an
instance of frontend validation that isn't properly enforced by backend services, where you
can circumvent the frontend checks or use different encodings to bypass security measures.
That technique isn't as applicable to a public API that receives considerable traffic and is
designed to be an exposed ingress layer d although it's still susceptible to vulnerabilities,
they probably won't be as simple as encoding issues.
Evaluating Rules of Engagement ` How to
Protect Yourself
It's important before beginning an engagement to closely read the rules of engagement
(sometimes also called a code of conduct) to understand the bounds of what is accepted
within the program.
The Rules of Engagement lay out:
What techniques are allowed in the source of testing
What sites/domains/apps are open to pentesting
What parts (if any) of those apps are excluded from testing
[ 27 ]
