Web Application Security Methodology
This document outlines the standard operating procedure for web application and API security assessments.
1. Reconnaissance & Discovery
Scope Verification
Always double-check the Rules of Engagement (RoE) before launching automated tools. Engaging out-of-scope assets can compromise the assessment.
Directory & File Fuzzing
When fuzzing, always tailor your wordlists and extensions to the target's specific technology stack.
- The
-eflag specifies extensions to append. Targeting.envis critical for Laravel applications to catch exposed credentials, while.jsis highly useful for mapping out React/Node environments.
2. Vulnerability Assessment
Cross-Site Scripting (XSS)
When testing modern SPA frontends (like React), traditional reflected XSS is often mitigated by the framework's native escaping. Shift focus to DOM-based XSS or instances where developers bypass protections.
React Specific Check
Search the compiled JavaScript bundles for uses of dangerouslySetInnerHTML. This is a common entry point for DOM XSS in React applications.
3. Exploitation & Post-Exploitation
Production Environment Warning
The following techniques involve writing files or executing commands. Do not run these on a production server without explicit authorization, as they can cause system instability.
Reverse Shell Generation
If you find a Remote Code Execution (RCE) vulnerability or unrestricted file upload, you'll need a reverse shell.
- Usage: Upload this as
shell.php. Access it via browser:https://target.com/uploads/shell.php?cmd=whoami. Use this strictly for Proof of Concept.