4.2 Configuration and Deployment Management Testing

Configuration and Deployment Management Testing

4.2.1 Test Network Infrastructure Configuration

Once obtained all the services that composes the application such as MySQL, APIs, different domains, etc. then:

• Review the applications components’ configurations set across the network and validate that they are not vulnerable.

• Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials

• Look for CVEs associated to the versions of each web site component.

Evidence:

​

4.2.2 Test Application Platform Configuration

• Ensure that defaults and known files have been removed. (Black-box)

ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .bak,.config,.old,.txt,.pdf,cgi -of md -o conf_files.md

• Validate that no debugging code or extensions are left in the production environments. (Gray-Box)

• Review the logging mechanisms set in place for the application. (Gray-Box)

Evidence:

​

4.2.3 Test File Extensions Handling for Sensitive Information

• Dirbust sensitive file extensions, or extensions that might contain raw data (e.g. scripts, raw data, credentials, etc.).

• Validate that no system framework bypasses exist on the rules set.

4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information

Check:

• Look for back up files extensions:

• Look for common backup file names

• backup_files_only.txt

• backup_files_with_path.txt

• extensions-compressed.fuzz.txt

• Check if directory listing is enabled

Evidence:

4.2.5 Enumerate Infrastructure and Application Admin Interfaces

Identify hidden administrator interfaces, functionality, cookies, etc.

List of default web page:

Evidence:

4.2.6 Test HTTP Methods

• Check which if there are methods allowed

• Using burp and /usr/share/wordlists/SecLists/Fuzzing/http-request-methods.txt tests which methods are allowed.

• Perform a CONNECT method.

• Try to perform an PUT request.

• Try to DELETE an image

Evidence:

4.2.7 Test HTTP Strict Transport Security

• Check that no requests are made through HTTP.

• Review the HSTS header and its validity. Also, take the screenshoot from burp suite.

• Check if the header attributes includeSubDomains and preload (optional) appear.

Evidence:

4.2.8 Test RIA Cross Domain Policy

• Check if the files exists (crossdomain.xml and clientaccesspolicy.xml)

• Review and validate the policy files

Evidence:

4.2.9 Test File Permission

• Check if there are files with more permissions than necessary. Because it requires access to the server files it only applies to White Box approach.

Evidence:

4.2.10 Test for Subdomain Takeover

A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.

• Identify expired or mis-configured domains (subdomains that points to a expired or nonexistent domain) that are used for the main application.

1. Go to Burp's sitemap, select all the domains that has been found using the app, right click "Copy select URLs" and saved them into a file

2. Then perform an HTTP request to all the domains looking for a domain that returns a 404.

1. Check if the domain exists or not (look for the URL on burp), and if it can be registered by a malicious attacker.

Evidence:

4.2.11 Test Cloud Storage

• Obtain the path or website where the files are uploaded, to check if they are uplodaded to cloud services

• Check if you are required to be authenticated in order to access those fies.

• Check if you can upload, overwrite or delete those files with and without authentication.

• Test with AWS-CLI

Evidence: