Last updated 5 months ago
Identify data injection points.
Validate that all checks are occurring on the back end and canât be bypassed.
Attempt to break the format of the expected data and analyze how the application is handling it.
Evidence:
â
Review the project documentation looking for guessable, predictable, or hidden functionality of fields.
Insert logically valid data in order to bypass normal business logic workflow.
Review the project documentation for components of the system that move, store, or handle data.
Determine what type of data is logically acceptable by the component and what types the system should guard against.
Determine who should be allowed to modify or read that data in each component.
Attempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow.
Look for user inputs that could be used to enumerate hidden information by the attacker. (Login panel, password recovery, etc.)
Send data to see if it takes more time or less depending of the values used.
Perform the same request as many times as possible until a rate limiting function is triggered. This can be applied to functions like "apply coupons", "login" or "recovery password."
Identify functions that must set limits to the times they can be called.
Assess if there is a logical limit set on the functions and if it is properly validated.
Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.
Develop a misuse case and try to circumvent every logic flow identified.
Review which tests had a different functionality based on aggressive input.
Understand the defenses in place and verify if they are enough to protect the system against bypassing techniques.
Check if there are defenses against SQLI, XSS, RCE, malware file upload.
Study the applications logical requirements.
Prepare a library of files that are ânot approvedâ for upload that may contain files such as: jsp, exe, or HTML files containing script.
In the application navigate to the file submission or upload mechanism.
Submit the ânot approvedâ file for upload and verify that they are properly prevented from uploading
Check if the website only do file type check in client-side JavaScript
Check if the website only check the file type by âContent-Typeâ in HTTP request.
Check if the website only check by the file extension.
Check if other uploaded files can be accessed directly by specified URL.
Check if the uploaded file can include code or script injection.
Check if there is any file path checking for uploaded files. Especially, hackers may compress files with specified path in ZIP so that the unzip files can be uploaded to intended path after uploading and unzip.
Try to upload an EICAR file and try to access it.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
