AWAE course preparation to OSWE certification with hackthebox machines
- TODO: Add more content and rewrite the others
- Browser Proxy (burpsuite, zap or other) ?
- Can you keep track of form/data submitted ? ViewState ?
- Where does authentication applies for ? Can you easly 'spider' throuthout the website ?
Discover Hidden Content
- What's if we try to access the content we should not have access to ? Any obvious content (admin, config, install ...) ?
- Can you identify the hidden server-side ? Perform, if needed, the enumeration of the web application (Nikto or others), it helps.
- Can you trigger the hidden debug parameters of certain function/endpoints ?
- Did you spot any anomalies whithin responses that may indicate that the added parameter hs had an effect on the website ?
- What's the session management mechanism ? Are there any access control or recovery features (account or password/token) ?
- What can you tell about customized data transmission or encoding nonstandard mechanism ? Anything seems odd ?
- Can identify any out-of-band channels via which user-controllable or other third-party data is being introduced into the application ? Rendeing content from another protocol ?
- Can you tell which technologies are used on client side or server side, such as forms, scripts, cookies, Java applets .. ect ?
- Can you see which feature/endpoint is going to work with another part of the website, like database ?
- If there is a lot of content/features, how are you going to procced ? Can you prioritize your searches by potential vulnerabilities ?
- Can you see any obfuscated content ? How can you exploit it in your advantage ? Have you retrieved any sensible/config information?
- Can you modify the values passed to the application fonctionality like deserialisation strings or forms ?
- Can you review the deserialized content for any angle of exploitation ? What about common deserialisation attacks ?
- Can you test each affected input field by submitting data that would ordinarily be blocked by the client-side controls to verify what ever these are replicated on the server side ?
- Can you see any disabled elements in the html ?
- What are the authentications entries used by the website (including login, registration, account recovery, and so on) ?
- Can you determine whether any other means exists of obtaining several user accounts ?
- Can you find and review the password policy used by the website ? Are there any vector of exploitation (weak passwords, crypto ...) ?
- How are usernames constructed ? Are they emails or maybe trigrams ? Are they unique ? Where are the username used ?
- At each location, using an account that you control, can you manually send several requests containing the valid username but other invalid credentials ? How does the application react to this behaviour ?
- How does the account recovery function works ? Can you reproduce the complete walk-through of the recovery process using an account you control ?
- Can you determine whether users can set or select their own challenge questions during registration ?
- If the main login function or its supporting logic contains a Remember Me function, can you activate this and review its effects ? If this function allows the user to log in on subsequent occasions without entering any credentials, can you review it closely for any vulnerabilities ?
- Can you modify the contents of your cookie in suit-able ways in an attempt to masquerade as other users of the application ?
- If the application registers both accounts, probe further to determine its behavior when a collision of username and password occurs. Attempt to change the password of one of the accounts to match that of the other. Also, attempt to register two accounts with identical usernames and passwords.