From: The Open Source Security Testing Methodology Manual
5 . Internet Application Testing
An Internet application test employs different software testing techniques to find "security bugs" in server/client
applications of the system from the Internet. In this module, we refer the server/client applications to those
proprietarily developed by the system owners serving dedicate business purposes and the applications can be
developed with any programming languages and technologies. E.g. web application for business transactions is a
target in this module. "Black box" and/or "White box" testing can be used in this module.
Expected Results: List of applications
List of application components
List of application vulnerabilities
List of application system trusts
R e -En g i n e e r i n g
1. Decompose or deconstruct the binary codes, if accessible.
2. Determines the protocol specification of the server/client application.
3. Guess program logic from the error/debug messages in the application outputs and program
A u t h e n t i c a t i o n
4. Find possible brute force password guessing access points in the applications.
5. Find a valid login credentials with password grinding, if possible.
6. Bypass authentication system with spoofed tokens.
7. Bypass authentication system with replay authentication information.
8. Determine the application logic to maintain the authentication sessions - number of (consecutive) failure
logins allowed, login timeout, etc.
9. Determine the limitations of access control in the applications - access permissions, login session
duration, idle duration.
S e s s i o n M a n a g e m e n t
10. Determine the session management information - number of concurrent sessions, IP-based
authentication, role-based authentication, identity-based authentication, cookie usage, session ID in URL
encoding string, session ID in hidden HTML field variables, etc.
11. Guess the session ID sequence and format
12. Determine the session ID is maintained with IP address information; check if the same session
information can be retried and reused in another machine.
13. Determine the session management limitations - bandwidth usages, file download/upload limitations,
transaction limitations, etc.
14. Gather excessive information with direct URL, direct instruction, action sequence jumping and/or pages
15. Gather sensitive information with Man-In-the-Middle attacks.
16. Inject excess/bogus information with Session-Hijacking techniques.
17. Replay gathered information to fool the applications.
I n p u t M a n i p u l a t i o n
18. Find the limitations of the defined variables and protocol payload - data length, data type, construct
19. Use exceptionally long character-strings to find buffer overflows vulnerability in the applications.
20. Concatenate commands in the input strings of the applications.
21. Inject SQL language in the input strings of database-tired web applications.
22. Examine "Cross-Site Scripting" in the web applications of the system.
23. Examine unauthorized directory/file access with path/directory traversal in the input strings of the
24. Use specific URL-encoded strings and/or Unicode-encoded strings to bypass input validation
mechanisms of the applications.
25. Execute remote commands through "Server Side Include".
26. Manipulate the session/persistent cookies to fool or modify the logic in the server-side web applications.
27. Manipulate the (hidden) field variable in the HTML forms to fool or modify the logic in the server-side web
28. Manipulate the "Referrer", "Host", etc. HTTP Protocol variables to fool or modify the logic in the serverside
29. Use illogical/illegal input to test the application error-handling routines and to find useful debug/error
messages from the applications.
Ou t p u t M a n i p u l a t i o n
30. Retrieve valuable information stored in the cookies
31. Retrieve valuable information from the client application cache.
32. Retrieve valuable information stored in the serialized objects.
33. Retrieve valuable information stored in the temporary files and objects.
I n f o rma t i o n L e a k a g e
34. Find useful information in hidden field variables of the HTML forms and comments in the HTML
35. Examine the information contained in the application banners, usage instructions, welcome messages,
farewell messages, application help messages, debug/error messages, etc.