4.2 Configuration and Deployment Management Testing

4.2.1

Once obtained all the services that composes the application such as MySQL, APIs, different domains, etc. then:

• Review the applications components’ configurations set across the network and validate that they are not vulnerable.

• Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials

• Look for CVEs associated to the versions of each web site component.

Evidence:

​

4.2.2

• Ensure that defaults and known files have been removed. (Black-box)

ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .bak,.config,.old,.txt,.pdf,cgi -of md -o conf_files.md

• Validate that no debugging code or extensions are left in the production environments. (Gray-Box)

• Review the logging mechanisms set in place for the application. (Gray-Box)

Evidence:

​

• Dirbust sensitive file extensions, or extensions that might contain raw data (e.g. scripts, raw data, credentials, etc.).

ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .asa,.inc,.config,.zip,.tar,.gz,.tgz,.rar,.java,.pdf,.docx,.rtf,.xlsx,.pptx -of md -o conf_files.md

• Validate that no system framework bypasses exist on the rules set.

Check:

• Look for back up files extensions:

ffuf -w <WORDLIST> -e .bak,.backup,.old,.tmp,.swp,.bkp -of md -o backup_files.md -u https://<DOMAIN>/FUZZ 

• Look for common backup file names

ffuf -ac -w /usr/share/wordlists/backup_files_with_path.txt -u https://<DOMAIN>/FUZZ
ffuf -ac -w /usr/share/wordlists/backup_files_only.txt -u https://<DOMAIN>/FUZZ

• Check if directory listing is enabled

Evidence:

​

Identify hidden administrator interfaces, functionality, cookies, etc.

List of default web page:

# WebSphere
admin
admin-authz.xml
admin.conf
admin.passwd
admin/
admin/logon.jsp
admin/secure/logon.jsp
administration
# PHP
phpinfo
phpmyadmin/
phpMyAdmin/
mysqladmin/
MySQLadmin
MySQLAdmin
login.php
logon.php
xmlrpc.php
dbadmin
# FrontPage
admin.dll
admin.exe
administrators.pwd
author.dll
author.exe
author.log
authors.pwd
cgi-bin
# WebLogic
AdminCaptureRootCA
AdminClients
AdminConnections
AdminEvents
AdminJDBC
AdminLicense
AdminMain
AdminProps
AdminRealm
AdminThreads
# WordPress
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php

Evidence:

​

• Check which if there are methods allowed

curl -sq -X OPTIONS  -I <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i "allow"

• Using burp and /usr/share/wordlists/SecLists/Fuzzing/http-request-methods.txt tests which methods are allowed.

• Perform a CONNECT method.

CONNECT <OASTIFY>:80 HTTP/1.1
Host: <DOMAIN>:443

• Try to perform an PUT request.

echo '<html><body><h1>RTG</h1></body></html>' > /tmp/test.html
curl -sq -D - -X PUT -T /tmp/test.html https://<DOMAIN>/ -H "Content-Type: text/html" | head -n 1
​
curl -sq -D - https://<DOMAIN>/test.html | head -n 1

• Try to DELETE an image

curl -sq -D - -X DELETE <URL_IMAGE> | head -n 1

Evidence:

​

• Check that no requests are made through HTTP.

• Review the HSTS header and its validity. Also, take the screenshoot from burp suite.

• Check if the header attributes includeSubDomains and preload (optional) appear.

curl -sq -D- <URL> | grep -i "Strict-Transport-Security:" --color

Evidence:

​

• Check if the files exists (crossdomain.xml and clientaccesspolicy.xml)

curl -D- -sq https://<URL>/crossdomain.xml -b "<COOKIE>"; echo
curl -D- -sq https://<URL>/clientaccesspolicy.xml -b "<COOKIE>"; echo

• Review and validate the policy files

Evidence:

​

• Check if there are files with more permissions than necessary. Because it requires access to the server files it only applies to White Box approach.

Evidence:

​

A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.

• Identify expired or mis-configured domains (subdomains that points to a expired or nonexistent domain) that are used for the main application.

1. Go to Burp's sitemap, select all the domains that has been found using the app, right click "Copy select URLs" and saved them into a file

2. Then perform an HTTP request to all the domains looking for a domain that returns a 404.

cat burp_urls.txt  | awk -F/ '{print $1"//"$3}' | sort -u > domains_url.txt
meg -d 10 -c 200 / domains_url.txt requests
grep -iRl 404 requests/ | awk -F/ '{print $2}' > domains_to_be_checked.txt

1. Check if the domain exists or not (look for the URL on burp), and if it can be registered by a malicious attacker.

Evidence:

​

• Obtain the path or website where the files are uploaded, to check if they are uplodaded to cloud services

• Check if you are required to be authenticated in order to access those fies.

• Check if you can upload, overwrite or delete those files with and without authentication.

Evidence:

​