Work2Code > Coding and Testing  > Security Testing & Mindset – Q&A With Santhosh Tuppad
Security Testing and Social Engineering - Santhosh Tuppad - Work2Code

Security Testing & Mindset – Q&A With Santhosh Tuppad

SECTION 1: PEN TESTING STARTING POINT

Have you ever carried a PT in which the starting point was "outside" of the company network? (i.e. social engineering/ web app PT etc.) If so please describe

I mainly perform two ways of attacking. Firstly, from outside the network so that I am not biased from internal networks or access. Secondly, I would also like to perform it from inside the network because that can be faster in discovering and fixing the vulnerabilities found. I was hired to perform penetration testing from outside the company network and this also included social engineering the employees of that particular company because the Directory of the company was also interested in inside security and weaknesses in the people working.

Platform: Web

Key Tasks/Activities:

  • Identify the rogue insiders
  • Perform elicitation on the employees by social engineering
  • Perform OWASP Top 10 Attacks
  • Go beyond OWASP Top 10
  • Provide counter-measures in terms of algorithm
  • Suggestions to improve security controls and making it harder for the bad guys

Social Engineering: I found the author names from the javascript files and I tried gathering information about the author (programmers in this context) and found their phone numbers from the public records. Once found, I dialed their number and spoke to them addressing their name and the work they were doing at that company. I also mentioned, I am a new employee and I need some quick help and its urgent as I need to send the reports to the Director of the Company. I also took the Director’s name to make myself sound more confident and be persuasive.

 

With this simple telephone call, I got the following information:

  • Firewall (Third-Party)
  • A version of the Firewall
  • Admin login URL path
  • Credentials to the production database (Haha, this was crazy)
  • Other team members who were working on “X” features

 

All of this was just in one call. This mission was solved and my report said, “Training to the employees about cybersecurity is a must”. And I also was hired to conduct training for all staff”.

 

I performed OWASP Top 10 Attacks across all the features while I automated some of the features with the same payloads. Not only I addressed OWASP Top 10 attacks, but I also spoke to them about smaller vulnerabilities turning to be nightmares. For example: In the domain who.is information, I found out the name of admin, phone number, email address, and office address. I told them, Instead of hacking your application, someone may hack into the email address of web administrator and bring down the domain or delete all the files.

 

I also did a missing security headers scan and told them why “X” headers are important to improve your security and harden the security layers. I insisted them to not show the “Administrator Login Webpage” to the whole world, but just allow such sensitive pages to be rendered/loaded only when the URL is accessed by specific static IP address or company IP network range. I told them, the cost of investigation during hack is less compared to when your sensitive webpage is publicly accessible around the globe. Maintaining the whitelist of IP addresses to access sensitive pages improves security.

 

During the end of 10 days engagement of web application pen testing, I was able to find out at least 30 Vulnerabilities out of which 2 were 0-day vulnerability and others included critical ones and minor ones. The list included CSRF mixed with XSS, Directory Listing, Authentication wasn’t encrypted, SSL certificate misconfiguration, Mixed content allowing a hacker to see the credentials plainly as login form was integrated in HTTP page and not HTTPS, SQL Injection bringing down their server down (but no access to data) by looping and many others.

 

NOTE: I can describe it longer of how it went. If you want me to share my work by masking the sensitive details, I can share the complete report of my pen testing activity.

 

SECTION 2: WEB APPLICATION PENETRATION TESTING

Please describe the method you use to perform a PT.

The common points listed under “Network Penetration Testing” (Please describe the method you use to perform a PT. ) also add to the answer to this question.

Here are some of the high-level ways on how I approach penetration testing.

  • Agreements like Non-Disclosure, Explicit Written Permission in order to perform Pen Testing related activities (In addition, I would also like to quickly understand the cyber laws of what’s legal and what’s illegal because I don’t want my biased nature as laws change based on the jurisdiction).
  • Understand the Business
  • Understand the Application by using Touring Heuristics
  • Create a Feature Map using Mind-Maps
  • Identify the Pen Testing Objectives / Goals and Establish a Context
  • Perform Threat Risk Modelling
  • Identify Vulnerabilities in the System
  • Write Exploits / Do Vulnerability Advocacy through Risk Analysis
  • Use Vulnerability Scoring System that suits the context (DREAD / STRIDE or CVSS is what I use in my work, but I can tweak these models in order to suit the context of the client and project)
  • Create a Report that matters to the various stakeholders of the project

 

For each phase please specify the tools you use.

The famous tool that I use is “Brain” and it’s greatest “Capabilities”

Note that, I explore a lot of tools during the journey of penetration testing as I come from the context-driven school of hackers.

Understanding the business (Heuristics to learn)

  • Talk to the key people
  • Communicate with cross-functional teams
  • Take a look at the specifications document
  • Use the software if it is available on the web in order to learn
  • Read about similar businesses
  • Browse through exploits-database if similar businesses had any kind of serious “hacking stories” in order to learn from them and also utilize the ideas in the project
    Software tools like “Passive Recon(naissance) add-on”, “Netcraft Site Report”, Maltego XL (If I have the license), Whois, NMap, Fingerprinting tools, WayBackMachine (To check how was the evolution of a particular web application), Google Dorks (I love this).

Creation of the Report

  • Videos for Proof of Concept (I use many different screen recording software based on the context of the operating system that I am using. Mostly malware free software / open-source based on my due diligence)
  • Screenshots wherever applicable (For web: FireShot / GreenShot / Or even Print Screen feature J)
  • Detailed description covering minute aspects of the vulnerabilities
  • Add my contact details and availability (If required. Usually, a night-crawler. However, I prefer to be available during the client’s time-zones if insisted).

 

If you perform manual tests please specify

Well, I never understood what are “manual” tests. I have never heard “manual programming” or anything as such. Everything comes from the brain and applying various thinking skills.

 

I use a tool-assisted exploratory approach to perform security/penetration tests and sometimes it is without any tool-assisted, but the brain itself can be a tool to me. For example, I can run OWASP Top 10 using scanners, but they are merely instructions and cannot really come up with creative and intelligent attack vectors or payloads in order to discover the potential vulnerability.

 

So, my answer is:

I use mixed approaches which include Scanners ONLY + Brain Assisted Tests for OWASP Top 10 or any other kinds of attacks + Scanners and Tools Assisted Exploratory Testing.

 

Do you use off-the-shelf tools? Do you write your own tools?

This has been answered under the “Tools” section.

 

SECTION 3: SECURITY VULNERABILITIES

What kind of vulnerabilities do you find in websites? Please specify.

Starting from encryption based vulnerabilities to SQL injection, Authentication based weaknesses / vulnerabilities, Authorization, Buggy SSL implementation, Man in the Middle Attacks, Network Interception, Reverse Engineering, Cross-site Request Forgery, Arbitrary unvalidated inputs, code injection,  Database HiJacking, Out of Memory, DDoS (I wouldn’t really call this as vulnerability though), finding sensitive data captured in the logs (Log file analysis), HTTP requests and response related vulnerabilities and anywhere my brain could think of finding a loophole. They also could be a sequence of activities performed on the victim or target or software in order to achieve the hacking goals.

 

Have you ever tried to test if a vulnerability in a website that you find is really exploitable?

Yes, I do that always with mental modeling and then writing an exploit to demonstrate the severity of the discovered vulnerability.

 

I would love to share an experience of exploitation which I performed on a website. This was an education platform (New York based NGO) and it had a lot of features and various roles /authorizations.

 

Roles: Student, Teacher, and Administrator

Authorization Levels: Pretty good implementation

Identification: I found out cross-site scripting vulnerability in the TinyMCE editor image insert feature which was integrated within the application.

After identification: I started to think what can I do with this vulnerability? How can I show the severity or damage potential of this XSS vulnerability that I have found? I started to use my feature touring mindmap to identify the features that connect me to different roles in the application. Well, I saw the “MESSAGING” feature in the application where you can send a message to an administrator or teacher being a student. The exploit I was thinking of goes this way -- Write AJAX / JavaScript (Malicious) which will force the administrator to create a new administrator or delete all users or add more users and any function that I wanted to execute being a student role.

 

AJAX Snippet of Code Writing: Here, I took the help of my team member who has programmer skills in writing AJAX scripts. I shared my idea of exploit and he helped me in writing this AJAX script in few minutes (less than 15 minutes) which was capable of executing the XSS via Messaging System / Feature for Administrator Role and then creating a new administrator with the given credentials in the AJAX request embedded in the XSS exploit.

 

In short, “Login as a Student” → “Create malicious AJAX XSS exploit” → “Send the exploit script to Administrator through the TinyMCE editor / Messaging Feature” → “Administrator opens the message and sees a popup box which says, Welcome to the Mail 2.0” (This message is set to not make the victim feel skeptical about this exploit) → And once the popup shows up, it means that our script has or is running in stealth mode (which means, nothing is shown on the UI so that administrator will feel doubtful or something fishy is going on).

 

Result: I logged in with the credentials of new admin created (the exploit) and I have gained access to the full application and I can do anything now. In short, “I am the Supreme / Super Admin”.

SECTION 4: EXPLOITS

Have you used known exploits? Where did you download them from?

Mainly I use https://www.exploit-db.com/ and also use the huge number of payloads from Github. For instance, I use the XSS Payloader plugin in the Burp Suite tool. Also, I use the Packet Storm Security website’s payloads listed under the “File -> Tools” list.

 

One of my favorites is, admin 1’or’1’=’1 SQL injection exploit that works mostly on the legacy web applications which never did a risk assessment as time passed. I use a lot of WordPress exploits from exploit-db. Well, more the plugins lead to more the exploits/vulnerabilities.

 

Have you used 0-day exploits? Did you find it by yourself? Please describe the exploits you used.

Yes, I have used existing 0-day exploits from exploit-db and other CVEs. Also, I have identified certain 0-day exploits all by myself in eCommerce, Healthcare and Banks / Insurance / Loans applications.

 

Example: This application where I found 0-day vulnerability is one of the famous rural banks which provides loans for farmers, rural workers and some from urban areas as well. This application has “Regular User who applies for Loan”, “Loan Manager who approves the loans once submitted”. My attack was here to find out a way where Loan Manager approval is bypassed.

Step 1: I signed up as a farmer

Step 2: I applied for the loan with all valid documents

Step 3: I looked into the HTTP request and response headers while signing up and also while submitting my loan application

Step 4: I was happy (as a hacker) to see the request body having “role=2” as one of the parameters. Upon looking deeper, I saw the “ApprovalRequired=1” parameter too.

Step 5: I used Burp Suite’s Intruder to intercept with the request before I submit the application.

Step 6: I intercepted the request and tampered “ApprovalRequired” attribute by changing the value from 1 to 0.

 

Well, this is how I could bypass loan managers’ approval. And this in any way was not known to them as they had not developed any IDS for these kinds of attacks. Their code was sloppy and stupid to not have security controls in terms of request body encryption being a bank.

 

Have you participated in a bug bounty program? If so – which?

I participated in the uTest platform which is crowdsourcing and was involved in every security project because I was hand-picked for my skills and reputation as a white-hat hacker. uTest used to call them “Bug Battles” and I was awarded prize money and also merchandise for winning the competitions.

It’s ironic that I discovered a 0-day vulnerability on uTest platform itself. The video can be watched at https://www.youtube.com/watch?v=C7nL5jy75zA

Also, I won Mr. BugASur Title at a Testing Competition which had 300+ professionals competing and I found a critical vulnerability in a mobile app multiple times. As I scored more points for participating in “BugAsur” competitions, I was awarded and rewarded.

Why I did not participate in bug bounties or bug battle further? I wanted to learn more and I did not want bounties to be my motivation, but be self-motivated to learn deeper and practice. Hence, I gave up bug battles and did them whenever I felt it, but rarely.

References:

https://www.utest.com/articles/how-i-won-the-utest-bug-battle-and-how-you-can-too

https://www.utest.com/articles/announcing-the-q4-bug-battle-winners (Mentioning of my name as previous winners - I am sorry that I can’t find the link results as it’s not loading up. https://www.utest.com/bugbattle/q210/results << This was for Gowalla - Foursquare Check-in Services Privacy Bug Battle).

Certificates of Appreciation & other conference certificates from well-known companies in India and conferences across the globe can be found at https://drive.google.com/drive/folders/0BziNB3kxUI6kNW4tYnZOMG1tb3c?usp=sharing

SECTION 5: OSINT and SOCIAL ENGINEERING

What type of information on a company/site/person may be helpful in preparing an attack?

I subscribe the Kevin Mitnick’s quote on “Social Engineering” and I believe firmly. It goes like,

“Social engineering is using deception, manipulation, and influence to convince a human who has access to a computer system to do something, like click on an attachment in an email.

Kevin Mitnick

 

During my childhood days, I was a great liar and a thief who used to break-in and bypass school infrastructure and grocery shops through social engineering skills. Well, I never practiced these skills, but somehow they were ingrained deeply in my brain I guess. I never knew it was called “Social Engineering” in the first place.

 

So, any information is brilliant if I know how to use it and connect it to my purpose or an attack. Here is a quick list of certain information that I can think of,

  • Knowing the company details by browsing through the website
  • WHOIS information which gives me owners name or administrator’s name along with their contact details and the admin email address (Most of them may not have Privacy Protect flag on and being a hacker I love it)
  • Know the C-Level Management and Employees through Social Media
  • Know what are their likes and dislikes and also follow them to see how they react to tweets or their personal posts on LinkedIn, Instagrams, Facebook etc. in order to understand them well and plan social engineering for elicitation purposes.
  • Knowing Network details
  • Site Report which gives me technology stack and third-party integration using javascript etc.
  • Sending a friend request to someone who works for a “Target’s” company and liking that new friend (Not a friend really) so much that they can provide some internal details without their knowledge.
  • Knowing Mail Servers, Web Servers, Database, Firewall through Fingerprinting
  • Accessing all the documents shared on the web, and see how those documents can reveal some details from history which can help me in various ways to plan.
  • Telephone Numbers, Usernames, Email Records, Forums, Blogs, Public Records, and more.
  • Not limited to this, but everything that’s under the nodes and subnodes of the OSINT framework mindmap which I love using always. I don’t want to just create a copy of it here and that’s why you could visit http://osintframework.com/

 

What tools would you use to find this information?

My favorite toolkit for social engineering:

  • NMap Terminal / Command-Line  - Network Mapper (ZenMap for UI)
  • Passive Recon Addon (Firefox)
  • WHO.IS - Find out whois information
  • Using cURL - This will help me to understand the culture of developers by looking into HTTP headers for requests and responses. I can also understand technology through X-POWERED-BY and other header entities.
  • Google Dorks - Search Engine Queries for Hackers
  • MailTester.com
  • Building my own OSINT tool using Google based on the context
  • MXToolBox Utilities
  • SysInternals Utilities
  • Telephone / Mobile Phones with Spoof SIM Cards or Spoof Fake Numbers
  • SMTP Boxes for Email Impersonation
  • Burp Suite - Commercial License
  • Kali’s SET (Social Engineering Toolkit)
  • Money (I know it’s illegal, but it can be a tool based on the context and laws under specific jurisdiction)
  • And Packet Storm Security Tool list is amazing for me to find out a lot of information https://packetstormsecurity.com/files/tags/tool/

 

Do you have social engineering capabilities? If so, what capabilities?

Yes, I am a “Social Engineer” freak and have practiced it in my childhood without knowing it was “Social Engineering”. I love connecting the social engineering aspect to any software or physical infrastructure and achieving my goals.

 

Qualities I possess:

  • Being persuasive
  • Highly manipulative
  • Story builder to gain access to intel

 

Capabilities I possess:

  • Phishing
  • Pretexting
  • Setting Email Honeypots
  • Gaining access to password/username by using pinhole cameras with high resolution
  • Watching someone type their password is a good skill that I possess in order to create my data to brute-force. Well, knowing the types of the keyboard can help in order to understand what kind of characters were entered and did the person use two fingers to type which can possibly be a special character.
  • Vhishing
  • Eavesdropping

 

Have you ever obtained access to a particular person? If so, how?

In my past, I have obtained access to a colleague’s email account while sitting in the office. This is how it went,

 

(I will be using that colleague’s name as “Dan” for reference and ease of understanding.)

Mission: To gain unauthorized access to “Dan’s” email account without having access to his computer.

 

Scene 1

Santhosh launches GMail in his web browser and visits the “Forgot Password” webpage and enters Dan’s email address. Santhosh was thinking that GMail may ask “Security Question”, but it did not. That was quite disappointing for Santhosh.

 

Scene 2

I bypassed my disappointment and wanted to go to the next level. And that was initiating a “Call” which is an “IVR” system which speaks One Time Password or Secret Code to the owner of the email address. Yes, I initiated a call finally and Dan was sitting 2 cubicles away from me.

 

Scene 3

After initiating the call, I watched Dan in a sneaky way. And yes, he received a ring and said “Hello”. He was keeping quiet because it was IVR and not uttering anything because there is no human on the other side.

 

Scene 4

He finally disconnected the call and started laughing. I picked his laugh to start a conversation with him.

I said: Hey, Dan! What’s up? What happened?

Dan: Someone called and the robot said, “Hi. Your secret code is 9870989.”

 

I said: I am sorry, I didn't hear that. Can you please repeat? (Well, I had heard the number. But, I wanted to cross check if Dan mentioned the right numbers or something gibberish).

Dan: The IVR said, “Your secret code is 9870989”

I said: Woah, that’s funny! (and I continued gaining access to his account).

 

Scene 5

I finally entered the secret code and GMail asked me to set new password. VOILA!

 

SECTION 6: SECURITY TESTING TOOLS

Do you use off-the-shelf tools?

Yes, I use commercial off-the-shelf tools with the mixed breed of custom or open-source or freeware. Some examples:

Commercial

  • Burp Suite Commercial License (Extensive Usage)
  • HP WebInspect
  • Acunetix Web Scanner
  • KNOXSS Pro (Extensive Usage)

Learning a tool hasn’t been a great deal for me. The idea to attack is where I spend most of the time.

Do you write your own tools?

I have experience with writing smaller scripts to accomplish a task (If I can call those scripts as tools). Also, I utilize the skills of my kickass programmer friend and team member who helps me to implement a script or a utility that can help me to implement my idea/attack. He says, “You have great ideas of attacking, and I have greatness in writing the code. We rock that way”.

However, I use Packet Storm Security and modify them to use them for my purpose. Going forward, I am planning to write more complex tools using Python because it rocks. And also I can integrate them with PenTesting distro like Kali Linux.

 

Have you modified or added plugins to an off-the-shelf tool?

Yes, I have been a fan of add-ons (Be it a software tool or coffee, I love add-ons). Burp Suite Commercial Tool has a BAppStore which has amazing addons and I employ all these add-ons to see what kind of help I can receive once I have generated an idea to attack an application. I haven’t modified though, but I have integrated other tools through automation so that they work together which increases the power.

 

How do you contend with protection systems such as anti-virus/ IDS/IPS?

My approach towards web & client-server applications  with IDS (Intrusion Detection Systems):

  • Read the company website privacy policy
  • Use Burp Suite plugin WAFDetect to see if I can get Firewall name and Version- https://portswigger.net/bappstore/12bef6b7607e46cf965c16f76e905a4c
  • Once I find the Firewall version outdated, I try to find critical exploits in that version using exploit-db.com or any other CVE databases.
  • Also, I learn to understand how a specific firewall works and also try to get the config file of a specific firewall through reverse engineering. However, it's’ time-consuming.
  • Identify some potential employees who could be disgruntled and then try to become friends with them to extract some sensitive information like firewall rules without their knowledge. [Social Engineering approach to be used]
  • See if I can bypass the WAF in the first place by using Bypass WAF plugin for Burp Suite - https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c
  • Identifying Flaws in the Firewall Configuration can help me to plan my attacks very well.
  • Watch out for the Updates like Outages and Downtime on the Firewall Vendors website if I am able to figure out the Firewall vendor name using WAF Detect plugin.
  • Identify the arbitrary inputs that may not be updated or hard to think of in order to configure them in the ruleset.

 

I love to explore during the hands-on testing of a software or application or system as it may lead me to unknowns and give me more information to deal with the IDS systems in better and smarter ways!

 

Have you ever used techniques to gain persistent access to a computer or networks? If so please describe

Yes, I have performed this experiment by using Keyloggers and Binding Software.

Steps I followed:

  1. Research for keyloggers that exist on the web which are undetected by anti-virus
  2. Download the Keylogger in my machine
  3. Install the keylogger and configure the SMTP email to my address
  4. Use executable builder and rebuild with the changed settings in the keylogger which includes my email address
  5. Identify the likes of the target person and think about setting a honeypot via email or messenger applications.
  6. I identified that the target was into torrents and using cracked version software. I got to know this as I used OSINT to gather his posts on forums where they were seeking for an “X” software cracked version.
  7. I cracked that “X” software by myself and binded it with rebuilt keylogger with my SMTP details. For this, I used Freeware Binding Software available on the web.
  8. Then, I wrote an email to him saying: Hey, I thought you are looking for this because I am the forum member and saw your question. I love to help! Cheers!
  9. The target thanked me and now I was waiting to receive email logs from the keylogger sent to me whenever the target connected to the internet. The email would be sent in stealth mode using SMTP settings configured in the keylogger.
  10. Finally, I started getting email attachments with key logs of the target.

This was one of the ways I gained access to the computer of the target and victimized.

 

What residues may remain on the computer after accessing it? (for any OS you are familiar with)

I have attended workshops on Computer Forensics related to “UNauthorised Access” which could be someone plugging their external drives/devices into a specific computer and gaining access to those remaining details when someone broke in with malicious intents.

 

The list of the residues that may remain:

  • IP address
  • Temporary files
  • Event Viewer logs
  • Cache Memory
  • Machine Physical Address
  • Web Server Log Files
  • Time-related residues
  • Volatile Data Sources
  • Date and Time of Access
  • Keystrokes
  • Command History

 

SECTION 7: NETWORK PENETRATION TESTING

 

Please describe the method you use to perform a PT.

I love using Penetration Standards across the industry which goes like,

Start with Pre-engagement interactions and continue with…

1. Information Gathering

2. Threat Modeling

3. Vulnerability Analysis

4. Exploitation

5. Post-Exploitation

6. Reporting

More information http://www.pentest-standard.org/index.php/Main_Page

 

For each phase please specify the tools you use.

Pre-engagement Interactions

  • Email
  • Telephone
  • Documents
  • Demonstration

Intelligence Gathering

  • OSINT Framework Tools
  • Passive Recon
  • Maltego XL
  • Google Dorks
  • Public Records
  • Company Website
  • Social Media

Threat Modeling

  • MindMappers
  • Mozilla SeaSponge

Vulnerability Analysis

  • STRIDE and DREAD Scoring System
  • Common Vulnerability Scoring System
    https://www.first.org/cvss/calculator/3.0 (CVSS Calculator)

Exploitation

  • Downloading Exploits from exploit-db and other CVE databases
  • Writing own scripts/tools

Post Exploitation

  • VPN Utilities
  • Data Destruction based on the client’s clause
  • Purging all the confidential data once pen testing is completed (Bringing machines back to pristine state)
  • Sharing with encrypted content (if mandated or regulated)
  • Maintaining the confidentiality and integrity of the data

Reporting (Custom made a template which includes the following)

  • Executive Summary
  • Risk Rating as per Vulnerability
  • Security Risk Origin
  • Vulnerability Details (Link to Screenshots or Videos)
  • Countermeasures (if applicable)
  • Suggestions / Improvement / Hardening the Security

If you perform manual tests please specify

Well, I never understood what are “manual” tests. I have never heard “manual programming” or anything as such. Everything comes from the brain and applying various thinking skills.

 

I use a tool-assisted exploratory approach to perform security/penetration tests and sometimes it is without any tool-assisted, but the brain itself can be a tool to me. For example, I can run OWASP Top 10 using scanners, but they are merely instructions and cannot really come up with creative and intelligent attack vectors or payloads in order to discover the potential vulnerability.

 

So, my answer is:

I use mixed approaches which include Scanners ONLY + Brain Assisted Tests for OWASP Top 10 or any other kinds of attacks + Scanners and Tools Assisted Exploratory Testing.

 

Have you carried out black box pen testing or anything similar? Please describe the course of the test. Please describe the network and the type of organization.

 

Yes, I have experience with black box pen testing. Nevertheless, I am not limited by my tests because black-hat hackers mostly use black box approach most of the times in my experience. And I can use tools like Fiddler, Charles Proxy, Dev Tools in the Web Browser, Addons, Request and Response Tampering and what not. My hacking journey started with black-box during childhood days.

 

Phase I

  • Sign Non-Disclosure and other necessary confidentiality agreements
  • Interact with stakeholders / Cross-Functional Communications
  • Understand the reason behind client seeking penetration testing services
  • Ask questions about business, technology, users
  • Know the history of the system and any hacks by bad guys
  • Intelligence gathering through elicitation process and social engineering (Use OSINT)

Phase II

  • Application overview
  • Feature Touring Heuristics and Creating a MindMap or a Map of System
  • Decompose the application into smaller bits
  • Understand what happens under the hood
  • Create a Pen Test Strategy Model
  • Start with Threat Risk Modeling
  • List the questions you may have to stakeholders, business analysts, administrator, programmers, sales, marketing folks and anyone who matters

Phase III

  • Refactor the risk modeling and test strategy model
  • Identify the attack vectors/test ideas
  • Perform the attacks and go beyond OWASP Top 10 (Starting from the Black-Box to the Backend Systems Security)
  • Think about an exploit and write a possible exploit
  • Perform DREAD AND STRIDE / CVSS or any other scoring system on the found vulnerabilities
  • Discuss with stakeholders, programmers, and testers (and anyone who matters) about Scoring system

 

Phase IV

  • Think about “Reporting” structure and format
  • Create a Blueprint of the Report
  • Consider the target audience of the report whether its for technical folks or C-Level Management or Business Analysts or Sales etc.
  • Delivery the Report
  • Walkthrough the people about the report
  • And wait for questions if any

 

I have thought about web application in this context. And this even works for mobile apps or the internet of things or anywhere the context demands. I wrote this considering web platforms. And any organization that works with web applications can be the target.

 

Work2Code

Work2Code is a brand new breed of programmers, testers and test automation experts who always think about the value they are creating for the customers.

No Comments

Leave a reply

2 × 2 =