-
Notifications
You must be signed in to change notification settings - Fork 36
Discovery
Obtain any available documentation for the application: component lists, architecture and dataflow diagrams, or API and route descriptions. Review documentation and validate the scope of the assessment.
Request access to two accounts per application role, or an account with the ability to create accounts and modify roles. Ensure testers have access to all in-scope portions of the application, such as APIs or administrative functionality.
Request source code for all in-scope portions of the application. Note technologies or frameworks used by the application, and research common issues in those technologies and in any dependencies. Read source code to discover how application routes are defined, and enumerate a list of all application routes.
Making effective use of source code during application testing dramatically improves the quality of the testing that can be performed. Testers should use source code to:
- Identify the code patterns used for authentication and authorization across the application's routes, and systematically search for any routes with missing or incorrect authentication and authorization checks (see Code Patterns for API Authorization: Designing for Security).
- After finding a vulnerability through dynamic testing, find the source of the vulnerability in source code. Use the code pattern to discover other code locations performing similar unsafe functionality.
- Efficiently identify or rule out bypasses to common security controls such as input validation, rather than performing blind testing.
Analyze normal use case functionality and capture the client-server interactions for review. Cover as many routes as possible from those identified in source code or from API and route descriptions provided by the client.
When source code is not available, "spidering" can assist in identifying application routes for further testing. (Spidering means using any automated web crawling tool to discover and visit links in a web application.) Spidering should be used with caution, as the crawler may attempt to access resources that might modify application state.
Determine if features such as input validation, debug functionality, or access to administrative routes are enforced client-side only. Any feature with impact on the application's security should be validated in the backend.
Continue to Configuration.