# 4.2 Configuration and Deployment Management Testing

## [Configuration and Deployment Management Testing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README)

## 4.2.1 [Test Network Infrastructure Configuration](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration)

Once obtained all the services that composes the application such as MySQL, APIs, different domains, etc. then:

* [ ] Review the applications components’ configurations set across the network and validate that they are not vulnerable.
* [ ] Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials
* [ ] Look for **CVE**s associated to the versions of each web site component.

**Evidence**:

```
​
```

## 4.2.2 [Test Application Platform Configuration](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration)

* [ ] Ensure that defaults and known files have been removed. (Black-box)

```bash
ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .bak,.config,.old,.txt,.pdf,cgi -of md -o conf_files.md
```

* [ ] Validate that no debugging code or extensions are left in the production environments. (Gray-Box)
* [ ] Review the logging mechanisms set in place for the application. (Gray-Box)

**Evidence**:

```
​
```

## 4.2.3 [Test File Extensions Handling for Sensitive Information](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information)

* [ ] Dirbust sensitive file extensions, or extensions that might contain raw data (*e.g.* scripts, raw data, credentials, etc.).

```bash
ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .asa,.inc,.config,.zip,.tar,.gz,.tgz,.rar,.java,.pdf,.docx,.rtf,.xlsx,.pptx -of md -o conf_files.md
```

* [ ] Validate that no system framework bypasses exist on the rules set.

## 4.2.4 [Review Old Backup and Unreferenced Files for Sensitive Information](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information)

**Check**:

* [ ] Look for back up files extensions:

```bash
ffuf -w <WORDLIST> -e .bak,.backup,.old,.tmp,.swp,.bkp -of md -o backup_files.md -u https://<DOMAIN>/FUZZ 
```

* [ ] Look for common backup file names
* [ ] [backup\_files\_only.txt](https://github.com/xajkep/wordlists/blob/master/discovery/backup_files_only.txt)
* [ ] [backup\_files\_with\_path.txt](https://github.com/xajkep/wordlists/blob/master/discovery/backup_files_with_path.txt)
* [ ] [extensions-compressed.fuzz.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/extensions-compressed.fuzz.txt)

```bash
ffuf -ac -w /usr/share/wordlists/backup_files_with_path.txt -u https://<DOMAIN>/FUZZ
ffuf -ac -w /usr/share/wordlists/backup_files_only.txt -u https://<DOMAIN>/FUZZ
```

* [ ] Check if directory listing is enabled

**Evidence**:

```
​
```

## 4.2.5 [Enumerate Infrastructure and Application Admin Interfaces](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces)

Identify hidden administrator interfaces, functionality, cookies, etc.

List of default web page:

```bash
# WebSphere
admin
admin-authz.xml
admin.conf
admin.passwd
admin/
admin/logon.jsp
admin/secure/logon.jsp
administration
# PHP
phpinfo
phpmyadmin/
phpMyAdmin/
mysqladmin/
MySQLadmin
MySQLAdmin
login.php
logon.php
xmlrpc.php
dbadmin
# FrontPage
admin.dll
admin.exe
administrators.pwd
author.dll
author.exe
author.log
authors.pwd
cgi-bin
# WebLogic
AdminCaptureRootCA
AdminClients
AdminConnections
AdminEvents
AdminJDBC
AdminLicense
AdminMain
AdminProps
AdminRealm
AdminThreads
# WordPress
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php
```

**Evidence**:

```
​
```

## 4.2.6 [Test HTTP Methods](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods)

* [ ] Check which if there are methods allowed

```bash
curl -sq -X OPTIONS  -I <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i "allow"
```

* [ ] Using burp and `/usr/share/wordlists/SecLists/Fuzzing/http-request-methods.txt` tests which methods are allowed.
* [ ] Perform a `CONNECT` method.

```bash
CONNECT <OASTIFY>:80 HTTP/1.1
Host: <DOMAIN>:443
```

* [ ] Try to perform an PUT request.

```bash
echo '<html><body><h1>RTG</h1></body></html>' > /tmp/test.html
curl -sq -D - -X PUT -T /tmp/test.html https://<DOMAIN>/ -H "Content-Type: text/html" | head -n 1
​
curl -sq -D - https://<DOMAIN>/test.html | head -n 1
```

* [ ] Try to DELETE an image

```bash
curl -sq -D - -X DELETE <URL_IMAGE> | head -n 1
```

**Evidence**:

```
​
```

## 4.2.7 [Test HTTP Strict Transport Security](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security)

* [ ] Check that no requests are made through HTTP.
* [ ] Review the HSTS header and its validity. Also, take the screenshoot from burp suite.
* [ ] Check if the header attributes `includeSubDomains` and `preload` (optional) appear.

```bash
curl -sq -D- <URL> | grep -i "Strict-Transport-Security:" --color
```

**Evidence**:

```
​
```

## 4.2.8 [Test RIA Cross Domain Policy](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/08-Test_RIA_Cross_Domain_Policy)

* [ ] Check if the files exists (`crossdomain.xml` and `clientaccesspolicy.xml`)

```bash
curl -D- -sq https://<URL>/crossdomain.xml -b "<COOKIE>"; echo
curl -D- -sq https://<URL>/clientaccesspolicy.xml -b "<COOKIE>"; echo
```

* [ ] Review and validate the policy files

**Evidence**:

```
​
```

## 4.2.9 [Test File Permission](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission)

* [ ] Check if there are files with more permissions than necessary. Because it requires access to the server files it only applies to White Box approach.

**Evidence**:

```
​
```

## 4.2.10 [Test for Subdomain Takeover](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover)

A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain takeover.

* [ ] Identify expired or mis-configured domains (subdomains that points to a expired or nonexistent domain) that are used for the main application.

1. Go to Burp's sitemap, select all the domains that has been found using the app, right click "Copy select URLs" and saved them into a file
2. Then perform an HTTP request to all the domains looking for a domain that returns a 404.

```bash
cat burp_urls.txt  | awk -F/ '{print $1"//"$3}' | sort -u > domains_url.txt
meg -d 10 -c 200 / domains_url.txt requests
grep -iRl 404 requests/ | awk -F/ '{print $2}' > domains_to_be_checked.txt
```

3. Check if the domain exists or not (look for the URL on burp), and if it can be registered by a malicious attacker.

**Evidence**:

```
​
```

## 4.2.11 [Test Cloud Storage](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage)

* [ ] Obtain the path or website where the files are uploaded, to check if they are uplodaded to cloud services
* [ ] Check if you are required to be authenticated in order to access those fies.
* [ ] Check if you can upload, overwrite or delete those files with and without authentication.
* [ ] [Test with AWS-CLI](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage)

**Evidence**:

```
​
```