Web application security - the fast guide 1.1 | Page 75

Chapter 4 - Be the attacker
P a g e | 75
If application is using URLs after rewriting parameters as part of the slash
separated string a trial to change or remove values should take place with
assessment of generated response.
For hidden parameters guessing is the only way as example the assessment of
the existence of (debug) parameters that helps developer to test pages and
bypass the authentication process.
4.10 Documenting your findings:
login.php
manageAccount.ph
?action=t&id=12
error.php
terminateAccount.
?action=s&id=12
showAccount.php
?action=a&id=12
activateAccount.ph
Figure 27: Draft diagram illustrating web site structure
When trying to map and profile the application you will get a lot of information
specially if you are using multiple tools and approaches, organizing your results
and deciding which are relevant is very important in order to be able to analyses
that information later on.
Using matrix and charts can be very helpful. Creating a table on spreadsheet is a
good thing to begin with:
Page name Path
aboutUs.html
Login.php /about
/login
Use
SSL?
No
Yes
Static or
Dynamic
S
D
Need
Auth.?
No
Yes
Used
comments
method
Get
Post
Also the usage of diagrams that represent the web site is essential to understand
different functionalities.it is also preferable to give different color to static and
dynamic pages where static pages are those pages that does not involve and
server side executable contents like files with html extension.
Include the diagram the structure of web site with available passed parameters
Other Information that should be documented in addition to pages’ information
are Directory structure, common file extension, any content based on plugin like
flash or silver lite or java virtual machine like applet, common cookies and query
string and parameters.