Check outgoing and incoming traffic to ensure that traffic is being routed appropriately for your test (e.g. you’re not sending traffic through the

A Pen Testing Approach for Web Apps

submited by

Style Pass

2020-06-27 04:25:23

Check outgoing and incoming traffic to ensure that traffic is being routed appropriately for your test (e.g. you’re not sending traffic through the wrong VPN or proxy).

Run tcpdump and monitor the output to verify that traffic is going to/from the target. In some cases, save the output to a file as evidence of where the traffic went.

Actually spend a chunk of time on this. Use the information as key words to brute force directories, user names, passwords, function names, etc.

Grab the front page of the app and view the page source code to see if they have any revealing information (such as a Joomla header).

Identify any JavaScript libraries that have been imported by the app (AngularJS, Jquery), note their origin and versionUse retire.js to identify any out-of-date JavaScript libraries used by the web app.

Analyze the information you’ve gathered in the previous steps, and perform research to identify the exploits and attack vectors.