Chapter 7. Identifying Weak Points in Application Architecture
So far we have discussed a number of techniques for identifying components in a web application, determining the shape of APIs in a web application, and learning how a web application expects to interact with a user’s web browser. Each technique is valuable by itself, but when the information gathered from them is combined in an organized fashion, even more value can be gained.
Ideally, throughout the recon process you are keeping notes of some sort, as suggested earlier in this part of the book. Proper documentation of your research is integral, as some web applications are so expansive that exploring all of their functionality could take months. The amount of documentation created during recon is ultimately up to you (the tester, hacker, hobbyist, engineer, etc.) and more isn’t always more valuable if not prioritized correctly, although more data is still better than no data.
Ideally, with each application you test, you will end up with a well-organized set of notes. These notes should cover:
-
Technology used in the web application
-
List of API endpoints by HTTP verb
-
List of API endpoint shapes (where available)
-
Functionality included in the web application (e.g., comments, auth, notifications, etc.)
-
Domains used by the web application
-
Configurations found (e.g., Content Security Policy or CSP)
-
Authentication/session management systems
Once you have finished compiling this list, you can use it to prioritize ...
Get Web Application Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.