Manual Security Testing Workflow

Getting started with HTTPView, Rest, Fuzzer and Encoder

SecApps comes with a number of tools to help you when doing manual web application security assessments. The workflow is very similar to the one used with intercepting proxies such as Burp and Zap, except that the process is greatly simplified due to the use of our embedded web security testing facilities delivered through the SecApps Browser Extension.

The workflow begins by intercepting some targeted browser traffic, analyzing the relevant HTTP transactions, manipulation of the requests and responses, fuzzing and finaly reporting and summarization. In the hands of an experienced penetration tester, this methodology can be used to discover any web security vulnerability. With SecApps tools, this workflow can be utilized at any point without the need to configure proxies, installing additional software or making system-wide changes.

Defining The Scope

Make sure that you have the SecApps Browser Extension installed. Open the HTTPView application and configure the Scope as we don't want to capture everything but the traffic from the target application. For example, to capture only traffic from apple.com we may want to use *//apple.com/** as the scope. Multiple scopes can be selected so you can slice your tests in many different ways.

The scope itself is defined as a series of glob rules. You can also use regular expressions. The scope can be changed during the testing session, so don't worry if you don't get it right the first time. The SecApps tools are designed so that you can do many tasks concurrently without affecting the end outcome. You can read more about the scope rules from the supplemented documentation that comes with each tool. The HTTPView scope docs can be found here.

Defining The Scope

Recording Transactions

To start recording simply click the Red dot. Open a new tab and navigate to the target application. You will notice that all traffic from the browser to the application is collected in the so-called transaction viewer. In the transaction viewer you can see the HTTP method, hostname, port, path, query and a range of HTTP response details. Click on any of the rows in the transaction viewer will open the selected request and response details in the viewer bellow: the request and response viewers.

Recording Transactions

Unlike proxies, which only capture HTTP traffic without understanding the context, HTTPView also provides contextual information such as if the request was loading from a browser frame (i.e window), weather XMLHttpRequest was used or if it is related to media tags such as <img> and <video>. This information can be used to understand better the application you are testing and quickly identify security weaknesses.

It is also very important to make use of the filters located above the transaction viewer to help you zoom in a particular set of requests. For example, you may be testing a specific feature and as such you can narrow the transactions to only those which occured in the last 5 minutes. You can further narrow down by showing only parameterized requests (i.e. requests that have parameters of some sort) as those will be subject to vulnerabilities. All of these features are available so that you can filter out the noise in order to concentrate on the important stuff - i.e places where vulnerabilities could be lurking.

Sometimes vulnerabilities are lurking in plain sight. Our Pro users will benefit from our "passive vulnerability detection" engine which is executed for each captured transaction in the transaction viewer. You can even filter based on the severity of these vulnerabilities from the filters to help you narrow down interesting requests that will be a good subject for manual inspection.

Request Manipulation

The trick to identifying vulnerabilities is to follow the clues, and then do some active testing. This is where Rest comes to the rescue. Rest is an advanced HTTP manipulation utility. You can open any request from the transactions viewer into Rest by double clicking on any item of your interest. You can also click on the app launcher and select "Send to Rest" option.

Once the transaction is opened in Rest, it is up to us to try to find interesting vulnerabilities. This is where experience in security research and web vulnerabilities will come useful. From this point we can find almost anything, from Remote Code Execution and NO/SQL Injection to the less severe vulnerabilities such as Cross-site Scripting, Request Forgery and more.

Request Manipulation

Rest will breakdown the request to smaller units which can be edited and customized individually. This helps immensely as we don't need to waste time on the various encodings that the HTTP protocol is made of and concentrate on the actual task. Various convoluted data-transport schemes such as multipart forms (i.e. upload forms) are handled automatically. Adding and removing and temporary turning off information is also trivial via the "request builder", which also supports "variables".

Once we make the required request customization to fit our test, we can send the actual request. Press on the Play button located at the top left. The response will appear in the response viewer located on the right of the request builder.

Although manual security testing requires a bit of experience and familiarity with common vulnerabilities, we have introduced a number of features to make the process as easy as possible so that you can easily test, drill further or move on to the next request. We are talking about the "Passive Analyzer", "Diff View" and "HTML Preview" features.

Just like the HTTPView, Rest also has a passive analyzer which can help us identify vulnerabilities automatically. For example, if we test for some SQL Injection condition which results in an error hidden deep inside the resulting HTML source code, we don't need to manually look for it because the passive analyzer will pick this information automatically and display the information in the "Issues" tab. This is a huge time-saver as we combine manual efforts with fully automated vulnerability detection features of our web security testing engine. We have your back! We can't leave you on your own.

One of the most powerful features when doing manual web security assessments is to use the "Diff View". With diff you we can compare the current response with any of the previous responses. This method helps you quickly identify the things that changed in the response and as a result increase your focus on the given task. For example, if we looking for a Cross-site Scripting vulnerability, we can easily identify how our efforts to bypass the validation routines affect the end result. We don't need to scroll into a particular area. We can simply execute the change and see in the diff view the actual change, stripping away the boilerplate that comes with the rest of the response that is irrelevant to the current task.

Last but not least, the HTML View help us render the result in an actual browser so that we can see exactly how our manipulated request affected the application. This can give us further visual clues that can help us discover vulnerabilities.

Once we are done with the request, we may want to save it in our project. Click on the projects button from the toolbar, select your project folder if not selected and click save or save as. Now you can go back to your work at later stage. You can also fork your current work so that you can continue manipulating it without loosing the current changes or affecting your save. Saving is optional, so save what you think is relevant to your project.

Fuzzing

Manual request manipulation is cool but do you know what is cooler - automatic request manipulation. Fuzzing is the art of automatically identifying vulnerabilities by injecting unexpected input. Unlike manual request manipulation which is very targeted, fuzzing is used for broad attacks where we can to identify vulnerabilities in the edge cases. We have made one of the most powerful web security fuzzers around to help you with that.

Select the transactions you are interested in from HTTPView. Click on the application launcher and then "Send to Fuzzer". HTTPView will open the selected request in Fuzzer ready to be customized for fuzzing.

Fuzzing

There are 3 types of attacks you can choose from - permutate, blast and hammer. You can learn more about them from the Fuzzer's built-in documentation. The most common attack is "Permutate". If you setup loops, dictionaries and list, the fuzzer will automatically premutate over the combinations, producing interesting results which will most certainly help you find vulnerabilities.

With the fuzzer you can also check for brute-force and direct-object reference attacks. Configure an iterator by using the built-in Counter primitive, list or dictionary and you are done.

The Fuzzer is a very powerful tool. We made it as simple as possible but it will take a few tries to master. Refer to our Blog, Twitter, Facebook and Reddit discussions to get tips and tricks how to utilise the tool to the best of its ability.

Saving Work Progress

Needless to say, try saving your work as regularly as required. This task is super easy and available from all apps. Your project is essentially made out of files that are saved with with a portable and easy to parse format - no more obscure file formats. Since we are working with files and folders, you can organize your project in which ever way fits your style. You want to put all your Rest requests in a sub-folder? No problem! Everything is possible.

Additionally you can attach notes to each file in the "README" section. Press the README button to open it. Type some text - even some ASCII art and save. That how we do it while keeping it cool!

Saving Work Progress

Furthermore, if you are really proud of what you achieved and you want to show it to the security wider-community you can use Fiddles. With Fiddles you can create a snapshot of your current work in the specific application and save it so in shareable way. Fiddles will generate a friendly URL of your work which you can copy and send to your friends and colleagues.

Some Final Words

Manual web security testing is a type of performance art. It takes time to master so if you are learning don't despair if you cannot get it right the first time. We are here to help. Just reach to us via our pro contact forms, on our Blog, Twitter, Facebook and Reddit and we will try to help. The trick is to keep trying. We are continuously improving the current tools and adding more features so it will only get easier over time so that you can concentrate on providing the the guidance for the tools to discover the vulnerabilities for you.