4.2 Configuration and Deployment Management Testing

Configuration and Deployment Management Testing

4.2.1 Test Network Infrastructure Configuration

Once obtained all the services that composes the application such as MySQL, APIs, different domains, etc. then:

• Review the applications components’ configurations set across the network and validate that they are not vulnerable.

• Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials

• Look for CVEs associated to the versions of each web site component.

Evidence:

​

4.2.2 Test Application Platform Configuration

• Ensure that defaults and known files have been removed. (Black-box)

ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .bak,.config,.old,.txt,.pdf,cgi -of md -o conf_files.md

• Validate that no debugging code or extensions are left in the production environments. (Gray-Box)

• Review the logging mechanisms set in place for the application. (Gray-Box)

Evidence:

​

4.2.3 Test File Extensions Handling for Sensitive Information

• Dirbust sensitive file extensions, or extensions that might contain raw data (e.g. scripts, raw data, credentials, etc.).

ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .asa,.inc,.config,.zip,.tar,.gz,.tgz,.rar,.java,.pdf,.docx,.rtf,.xlsx,.pptx -of md -o conf_files.md

• Validate that no system framework bypasses exist on the rules set.

4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information

Check:

• Look for back up files extensions:

ffuf -w <WORDLIST> -e .bak,.backup,.old,.tmp,.swp,.bkp -of md -o backup_files.md -u https://<DOMAIN>/FUZZ 

• Look for common backup file names

• backup_files_only.txt

• backup_files_with_path.txt

• extensions-compressed.fuzz.txt

ffuf -ac -w /usr/share/wordlists/backup_files_with_path.txt -u https://<DOMAIN>/FUZZ
ffuf -ac -w /usr/share/wordlists/backup_files_only.txt -u https://<DOMAIN>/FUZZ

• Check if directory listing is enabled

Evidence:

​

4.2.5 Enumerate Infrastructure and Application Admin Interfaces

Identify hidden administrator interfaces, functionality, cookies, etc.

List of default web page:

# WebSphere
admin
admin-authz.xml
admin.conf
admin.passwd
admin/
admin/logon.jsp
admin/secure/logon.jsp
administration
# PHP
phpinfo
phpmyadmin/
phpMyAdmin/
mysqladmin/
MySQLadmin
MySQLAdmin
login.php
logon.php
xmlrpc.php
dbadmin
# FrontPage
admin.dll
admin.exe
administrators.pwd
author.dll
author.exe
author.log
authors.pwd
cgi-bin
# WebLogic
AdminCaptureRootCA
AdminClients
AdminConnections
AdminEvents
AdminJDBC
AdminLicense
AdminMain
AdminProps
AdminRealm
AdminThreads
# WordPress
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php

Evidence:

​

4.2.6 Test HTTP Methods

• Check which if there are methods allowed

curl -sq -X OPTIONS  -I <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i "allow"

• Using burp and /usr/share/wordlists/SecLists/Fuzzing/http-request-methods.txt tests which methods are allowed.

• Perform a CONNECT method.

CONNECT <OASTIFY>:80 HTTP/1.1
Host: <DOMAIN>:443

• Try to perform an PUT request.

echo '<html><body><h1>RTG</h1></body></html>' > /tmp/test.html
curl -sq -D - -X PUT -T /tmp/test.html https://<DOMAIN>/ -H "Content-Type: text/html" | head -n 1
​
curl -sq -D - https://<DOMAIN>/test.html | head -n 1

• Try to DELETE an image

curl -sq -D - -X DELETE <URL_IMAGE> | head -n 1

Evidence:

​

4.2.7 Test HTTP Strict Transport Security

• Check that no requests are made through HTTP.

• Review the HSTS header and its validity. Also, take the screenshoot from burp suite.

• Check if the header attributes includeSubDomains and preload (optional) appear.

curl -sq -D- <URL> | grep -i "Strict-Transport-Security:" --color

Evidence:

​

4.2.8 Test RIA Cross Domain Policy

• Check if the files exists (crossdomain.xml and clientaccesspolicy.xml)

curl -D- -sq https://<URL>/crossdomain.xml -b "<COOKIE>"; echo
curl -D- -sq https://<URL>/clientaccesspolicy.xml -b "<COOKIE>"; echo

• Review and validate the policy files

Evidence:

​

4.2.9 Test File Permission

• Check if there are files with more permissions than necessary. Because it requires access to the server files it only applies to White Box approach.

Evidence:

​

4.2.10 Test for Subdomain Takeover

A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.

• Identify expired or mis-configured domains (subdomains that points to a expired or nonexistent domain) that are used for the main application.

1. Go to Burp's sitemap, select all the domains that has been found using the app, right click "Copy select URLs" and saved them into a file

2. Then perform an HTTP request to all the domains looking for a domain that returns a 404.

cat burp_urls.txt  | awk -F/ '{print $1"//"$3}' | sort -u > domains_url.txt
meg -d 10 -c 200 / domains_url.txt requests
grep -iRl 404 requests/ | awk -F/ '{print $2}' > domains_to_be_checked.txt

1. Check if the domain exists or not (look for the URL on burp), and if it can be registered by a malicious attacker.

Evidence:

​

4.2.11 Test Cloud Storage

• Obtain the path or website where the files are uploaded, to check if they are uplodaded to cloud services

• Check if you are required to be authenticated in order to access those fies.

• Check if you can upload, overwrite or delete those files with and without authentication.

• Test with AWS-CLI

Evidence:

​