Chapter 7. Identifying Weak Points in Application Architecture

So far we have discussed a number of techniques for identifying components in a web application, determining the shape of APIs in a web application, and learning how a web application expects to interact with a user’s web browser. Each technique is valuable by itself, but when the information gathered from them is combined in an organized fashion, even more value can be gained.

Ideally, you’re keeping notes of some sort throughout the recon process, as suggested earlier. Proper documentation of your research is integral, as some web applications are so expansive that exploring all of their functionality could take months. The amount of documentation created during recon is ultimately up to you (the tester, hacker, hobbyist, engineer, etc.) and more isn’t always more valuable if not prioritized correctly, although more data is still better than no data.

With each application you test, you would ideally end up with a well-organized set of notes. These notes should cover:

• Technology used in the web application

• List of API endpoints by HTTP verb

• List of API endpoint shapes (where available)

• Functionality included in the web application (e.g., comments, auth, notifications, etc.)

• Domains used by the web application

• Configurations found (e.g., Content Security Policy [CSP])

• Authentication/session management systems

Once you have finished compiling this list, you can use it to prioritize any attempts at hacking ...