Shawn Evans

The goal of web application penetration assessments is to enumerate and exploit risk across all manner of web platforms via automated and manual methods. The responsibility of the assessor is to cause unintended application behavior. This sounds simple, but it is the most basic thread that connects all vulnerabilities. Unintended behavior can manifest itself through information disclosure, subtle variances in HTTP response size, command injection on the client or server side, logical errors, and out-of-band interactions with other servers.

Reliably injecting faults and positively detecting risk is greatly enhanced if the assessor has a fundamental understanding of the code that is being executed behind the scenes. AppSec professionals, even those without a software engineering background, should be able to read and understand code. The ability to read and understand code then lends itself to pseudocode. If you can look at a few lines of code or an entire function and distill that functionality into a concise logical description, then you can effectively describe an entire application. The same is true of application users. By using an application and observing the submitted parameters and expected responses, it’s possible to describe in plain language what discrete functions are likely being called on the server ...