SEC542 - Web App Penetration Testing Intro

Questions and Answers

What are the reasons why people are taking this course? (Select all that apply)

Attacking web applications is fun (correct)

The authors have a unique perspective on web security.

Web applications are often neglected in favor of systems and network security initiatives. (correct)

Web applications are becoming increasingly vital to business operations and often hold sensitive information. (correct)

Web applications are frequently targeted by adversaries for data exfiltration. (correct)

What is the primary use-case of the Sequencer tool?

To determine from which origins and endpoints the browser is allowed to load and execute active code.

To ensure data is transmitted securely over the network.

To determine whether users can access information they are not authorized to access.

To identify the current location of the user-agent when a link is followed.

To test whether an application's session-generation algorithm is predictable. (correct)

Which of the following are the advantages of the Static Application Security Testing (SAST) method? (Select all that apply)

It can miss issues in compiled libraries.

It identifies security deficiencies that are not easily apparent in the deployed application. (correct)

It requires high-level security skills to identify vulnerabilities.

It's often the quickest way to find vulnerabilities.

The SAST method is a fully knowledge testing technique because it requires access to source code. (correct)

Which of the following are the disadvantages of the Dynamic Application Security Testing (DAST) method? (Select all that apply)

It only tests the code that is actually being exposed. (A), It is often used for simple, front-end validation rather than for finding complex logic flaws. (D), It is often performed too late in the development lifecycle (SDLC). (E)

The 'Content-Security-Policy' response header is primarily used to identify potential XSS attack vectors.

True (A)

Why is the "Target - Scope" tab in Burp Suite important? (Select all that apply)

It helps prevent accidental overlooking of relevant resources. (A), It helps manage the tools used for penetration testing by defining which websites or resources to actively test. (C), It helps ensure you don’t run afoul of your authority and scan unnecessarily. (D)

What are the purposes of using the "Proxy Intercept" feature in Burp? (Select all that apply)

To review and edit incoming requests before sending them to the server. (C), To review and edit outgoing responses from the server before sending them to the browser. (D)

Which of these are the primary responsibilities of a Certificate Authority (CA)?

To generate certificates to ensure the correct public key is shared. (D), To provide authentication by establishing trust with the client. (E)

What are the advantages of using the "Intruder" functionality within Burp Suite Pro? (Select all that apply)

It requires little to no scripting skill. (A), It allows for high-volume custom injection attacks. (B), It is a very powerful tool that can be used to test a variety of vulnerabilities. (E)

Which of the following are among the goals for the Information Gathering section of the WSTG? (Select all that apply)

To understand the application’s functionality and its impact on the web server. (A), To identify the network infrastructure configuration, including listening services and software versions. (C), To find vulnerabilities within the application and identify common configuration flaws. (D), To understand the web server configuration and its impact on the application security. (E)

The OWASP Web Security Testing Guide suggests that security testers should prioritize security controls and vulnerabilities testing for high-risk functions, such as wire transfers.

True (A)

What is the primary use-case of the ‘Content Discovery - Spidering’ technique? (One word)

Exploration

A common practice is to use the robots.txt file to hide sensitive content from pentesters.

False (B)

What are the advantages of manual spidering? (Select all that apply)

It provides a more complete and detailed overview of the web application. (A), It can be used to identify the purpose of the application and identify vulnerabilities. (B), It is less prone to invalidating sessions or destroying data. (C), It allows for the identification of sensitive functions within the application. (D)

Automated spidering is the most efficient way to find vulnerabilities in a large web application.

False (B)

Which of the following tools can be used to discover web server components? (Select all that apply)

Nmap (A), Netcraft (B), Shodan (C), CEWL (D), Zenmap (E)

It is generally considered acceptable to use the LinkedIn Open Network (LION) to connect with individuals that are not directly related to you, but are connected to individuals connected to you, in order to gain access to information that you cannot access unless you are friends with them.

True (A)

What are the primary sources of information collected by theHarvester tool?

Threat intelligence feeds. (C), Public search engines like Google, Bing, and DuckDuckGo. (D), Publicly available DNS records. (E)

Which of the following are the reasons why it is often difficult to use OSINT tools to gather information about systems that are managed by third-party vendors? (Select all that apply)

These systems may require a login and authentication. (B), These systems may lack strings associating them with the client’s name. (C), The systems might be difficult to find if they are outside the client's IP space. (D), These systems may be not well-documented. (E)

The search operator 'site:example.com' in Google is used to limit the search results to the specified website.

True (A)

What are the primary use cases of 'dorks' (also known as 'googledorks')? (Select all that apply)

To identify specific server details as part of a penetration test. (C), To discover internal resources. (D), To identify specific vulnerabilities in the web application. (E)

What are the advantages of using an OSINT Suite for penetration testing? (Select all that apply)

It provides numerous valuable public APIs. (A), It comes with a comprehensive set of features to analyze data quickly. (C), It eliminates the need to use multiple individual tools. (D)

The popularity and relevance of ‘dorks’ is diminishing today, due to the widespread adoption of new, more secure technologies and frameworks.

False (B)

The OWASP Web Security Testing Guide (v4.2) is known as the OWASP Testing Guide (OTG) in versions prior to 4.2.

True (A)

Which of the following are the common ways to discover web server components? (Select all that apply)

Searching for administrative webpages. (A), Performing a port scan to identify the services running (B), Using vulnerability scanners to identify software components (C), Reviewing configuration files (D), Analyzing default web pages for software details and version information (E)

A webserver is expected to support GET and HEAD methods, while support for other methods is considered optional.

True (A)

What is the purpose of using the -t any option in dig command?

To retrieve all record types for a specific domain.

It is generally considered safe to use the nslookup command when attempting to confirm blind command injection?

True (A)

The 'dnsrecon' tool can be used to perform both brute force and reverse DNS scans.

True (A)

Which of the following are common use cases of the 'Shodan' tool? (Select all that apply)

To discover information about the target organization's internal systems. (A), To discover the latest configuration changes made to the target environment. (B), To identify vulnerable systems that should be in scope. (C), To gather details about SSL certificates. (E)

The 'gowitness' tool is a powerful alternative to the 'Eyewitness' tool and is written in a different language.

True (A)

What are the key considerations for defining the scope of an application assessment? (Select all that apply)

To prevent accidental overlooking of relevant resources. (B), To ensure that you don't scan unnecessarily and potentially trigger unwanted alerts. (D), To understand which tools and resources are relevant for the specific target. (E), To establish a clear and defined perimeter for testing. (F)

The 'Site Map' feature within Burp is often overlooked by new users.

True (A)

The 'Filter' feature within Burp Suite is used to remove data from the session and prevent further transmission.

False (B)

What are the key considerations for choosing a browser to use while conducting web application pen testing? (Select all that apply)

Ensure it has a user-agent that does not interfere with the testing. (A), Select a browser that is updated with the latest security features to ensure compatibility with the web application. (D), Choose based on how extensible the browser is and how easily it can be customized. (E)

The -X PUT option in the curl command is used to send a PUT request to the server.

True (A)

The -i option in the curl command is used to display the response headers.

True (A)

What are the key considerations for testing HTTP methods? (Select all that apply)

To discover the impact of the HTTP methods on the web application's functionality. (A), To test the compatibility of the web application with various HTTP method implementations. (B), To understand how the target web server is configured. (C), To analyze the server-side logic for vulnerabilities related to specific HTTP methods. (D), To identify potential vulnerabilities associated with the HTTP methods. (E)

The Allow response header indicates the HTTP methods that are supported by the target web application.

True (A)

What is the primary purpose of the HTTP Referer header? (Select all that apply)

To provide information about the previous web page that the user was viewing. (B), To enforce a specific flow through the application. (E)

The 'SameSite' attribute is designed to prevent Cross-Site Request Forgery (CSRF) attacks.

True (A)

Which of the following are the valid values for the 'SameSite' attribute?

lax (A), none (D), strict (E)

What are the purposes of using the 'Secure' attribute for cookies? (Select all that apply)

To ensure that the cookie is only transmitted over a secure channel, such as HTTPS. (A), To prevent the cookie from being modified or altered by unauthorized parties. (C), To prevent the cookie from being intercepted and observed by potential eavesdroppers. (D)

The ‘HttpOnly’ attribute ensures that the cookie cannot be accessed by client-side scripting languages, effectively preventing XSS attacks from successfully stealing cookies.

True (A)

The ‘Cache-Control’ header is a unidirectional directive, meaning that a directive set in the ‘Request’ header does not necessarily imply that the same directive will be set in the ‘Response’ header.

True (A)

Which of the following are the key functions of using the 'X-Frame-Options' response header? (Select all that apply)

To prevent framing of the page and protect against Clickjacking attacks. (F)

What are the key principles behind the 'HTTP Strict Transport Security (HSTS)' mechanism? (Select all that apply)

It ensures that web pages are accessed over an HTTPS connection. (A), It is a highly effective way to mitigate the impact of CSRF attacks. (D), It sets a time limit for which the browser will remember that the website must be accessed over HTTPS. (F)

Why is understanding the latest SSL/TLS versions and cipher suites crucial for conducting web application pen testing?

To ensure that the communication between the client and server is secure. (C), To help identify potential vulnerabilities in the web application's SSL/TLS implementation. (D)

The 'ssl-enum-ciphers' Nmap script can be used to identify the cipher suites supported by an HTTPS server.

True (A)

What are the key functions of the HTTP 'X-Frame-Options' response header? (Select all that apply)

To protect against Clickjacking attacks. (A), To prevent the page from being rendered in an iframe. (B)

The ‘SameSite’ attribute is designed to prevent Cross-Site Scripting (XSS) attacks.

False (B)

Which of the following are common methods or techniques for information gathering during a penetration test? (Select all that apply)

Using search engines (A), Performing active virtual host discovery. (B), Leveraging social media (F), Using the ‘Shodan’ tool. (H), Using port scanners. (I), Using the ‘Robots Exclusion Protocol’ (J), Using the ‘gowitness’ tool. (K), Using DNS enumeration and zone transfer tools. (L)

What are the core functionalities of a web application pen-tester's toolkit? (Select all that apply)

Attack platform (B), Dynamic web application security scanner (C), OSINT suite. (D), Port Scanner (E), Web browser (H), Interception proxy (I)

Flashcards

Penetration Testing

A process of finding vulnerabilities in a system by simulating real-world attacker tactics.

Threat Modeling

A method of assessing application security focusing on understanding potential threats and their impact.

Source Code Review

A technique for finding bugs and security flaws in code by manually examining it.

Static Application Security Testing (SAST)

An automated process for analyzing code and identifying potential security vulnerabilities.

Dynamic Application Security Testing (DAST)

A method of testing web applications by sending requests and analyzing responses to identify security issues.

Manual Inspections and Reviews

Examining application documentation to identify potential security risks.

Automated + Manual = Best

Combining automated scans and manual reviews to identify potential vulnerabilities in a web application.

Zero-Knowledge Pen Test Myth

The misconception that a zero-knowledge pen test is representative of a real-world attack.

Penetration Testing Framework

A framework for conducting penetration tests, ensuring consistency and repeatability.

OWASP Web Security Testing Guide

A guide for conducting web security testing.

HTTP Request Method - HEAD

A request method that asks the server to return only the HTTP headers without sending the body.

HTTP Request Method - OPTIONS

A request method that asks the server to respond with a list of supported HTTP methods.

HTTP Request Header - Referer

An HTTP header that indicates the URL of the page that the user-agent was viewing before following a link.

Virtual Host Discovery

Discovering hidden virtual hosts on a target server.

Shodan

A search engine focused on discovering and searching for internet-connected devices and services.

Cryptographic Failures

The use of cryptography to protect confidentiality and integrity of sensitive data.

HTTPS: SSL/TLS Handshake

A sequence of messages exchanged between a client and server to establish a secure connection using TLS.

HTTPS Testing: Using testssl.sh

A command-line tool used to evaluate an HTTPS configuration.

HTTPS Testing: Qualys SSL Labs

A publicly available resource for evaluating SSL configurations.

Content Discovery - Spidering

Crawling or spidering through web pages to discover content and functionality.

Robots Exclusion Protocol

A set of rules that instruct automated spiders on how to interact with a website.

The Attacker’s Dilemma: Manual vs. Automated Spidering

The challenge of choosing between manually exploring a web application and using automated tools.

Open-Source Intelligence (OSINT)

Gathering information about target organizations and applications.

OSINT: Search Engines

Using search engines like Google, DuckDuckGo, and Bing to gather OSINT.

OSINT: Key Search Operators

Special search operators used in search engines to refine results and find specific data.

OSINT: Google Dorks

Google searches crafted to find specific types of data or vulnerabilities.

OSINT: Dorking

The practice of using crafted searches to find vulnerabilities in web applications.

OSINT: theHarvester

An open-source tool used for gathering OSINT, particularly for finding emails and social media profiles.

OSINT Suites

Collections of tools and resources for efficiently gathering OSINT.

Study Notes

SEC542 - Web Application Penetration Testing and Ethical Hacking

• This course covers GIAC Web Application Penetration Tester (GWAPT)
• The material covers introduction and information gathering for web application penetration testing.
• The course emphasizes the importance of understanding web applications and how to test their security.
• Many organizations do not prioritize application security, which creates opportunities for attackers.
• Attacking web applications is considered intellectually rewarding and a valuable skill.
• Current web application security testing often focuses only on functionality, not security.
• Multiple tools are available to facilitate web application assessments, including penetration testing.
• The NIST National Vulnerability Database (NVD) shows that web applications are a frequent target for attackers
• The Exploit Database (EDB) details many vulnerabilities for web applications.

Topic 1: Introduction and Information Gathering

• The course begins with an introduction to web applications.
• Key concepts related to the web's structure and functionality are discussed.
• Information gathering is highlighted as critical in a penetration test, including methods like virtual host discovery.
• The course uses the OWASP methodology and test techniques.
• The process of gathering information, including methods like DNS discovery, is emphasized.
• Methods like website spidering, using tools like Wget, are explained.
• The course then covers the use of interception proxies, like ZAP and Burp Suite, for a more structured approach to analysis.

Topic 2: Fuzzing, Scanning, Authentication, and Session Testing

• Techniques for fuzzing, scanning, authentication, and session testing are covered in detail
• The different methodologies and techniques are described in this section
• Automated scanning tools as well as manual techniques are covered

Topic 3: Injection

• This section covers various injection techniques used in web application attacks.
• The different types of injection attacks and their implications are detailed.

Topic 4: XSS, SSRF, and XXE

• This section covers Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), and XML External Entity (XXE) attacks
• The different types of attacks and their implications are detailed.

Topic 5: CSRF, Logic Flaws, and Advanced Tools

• Exploiting CSRF, Logic Flaws, and advanced technologies used by attackers.
• Different attack types and remediation concepts are explained

Topic 6: Capture the Flag (CTF)

• CTF exercises and demonstrations are typically included to reinforce practical application of learned material.
• Many CTF challenges and demonstrations are available to aid understanding and solidify knowledge acquisition.

Additional Topics

• Threat Modeling: Methods for analyzing potential vulnerabilities in web applications.
• Code Review: Techniques used to identify vulnerabilities directly from source code.
• Static Application Security Testing (SAST): Automated static analysis methods for vulnerabilities.
• Dynamic Application Security Testing (DAST): Automated testing of running applications.
• Interactive Application Security Testing (IAST): Techniques for security assessment during runtime
• Out-of-band Application Security Testing (OAST): Special testing approaches
• OWASP Top 10: A list of frequent web application vulnerabilities and security risks
• Open Source Intelligence (OSINT): Gathering information about targets from publicly available sources. 
• Nmap and other scanning tools: Tools that collect web application data for a deeper and broader analysis. 
• The Google Hacking Database (GHDB): Contains many unique search strings (dorks) for finding potential vulnerabilities.
• HTTP: Key functionalities of HTTP requests and responses.
• HTTPS: Details of TLS/SSL and cryptographic concepts that secure HTTP traffic, including handshakes, and cipher suites to assess their strength. 
• HTTP headers: User-Agent, Referer, Cookie and other relevant HTTP headers
• DNS: Domain Name System for domain and IP address resolution
• Additional tools: Testssl.sh, etc.

Description

This quiz focuses on the introduction and information gathering aspects of web application penetration testing as covered in the SEC542 course. Learn about the significance of testing web applications' security and the tools available for effective assessments. This foundational knowledge is critical for aspiring penetration testers.