3.6 More HOW and WHAT! (still work in progress)

TBD soon! (But those are things you should already know and do during other pentests)

How to test?

For each penetration test, ALWAYS demand at least two user accounts. If different levels of privileges (read-only, write permissions or full admin) exist - at least one user per level.

Login with the provided user credentials
- Have a look at the request (what parameters are transmitted, ...).
  - Tweak around with them (i.e. SQLi against the backend)
  - Is the connection to the backend encrypted (SSL in place)?
  - Do they get stored?
    Where do they get stored?
    How do they get stored? (Clear-text vs. encoding vs. encryption)
    At want point do they get decrypted/-coded?
Switch tokens or other session values with other logged in users
- Are the tokens bound to the session or do they need to be valid only?
- Decode the token and check what kind of sensitive information is stored within
Logout
- Reuse old tokens and test if they are still valid as well

What to report?

No SSL (https) used while authenticating against the backend.
Any request-misuse you were able to identify
Improper session / user-credential storage (stored in clear-text or weakly encrypted)
Improper storage location (i.e. config.txt with credentials will be stored on the SD card)
Token is not bound to user-session
Token contains sensitive information
- In combination with no SSL (https) in place? Even worse.
- Is it necessary to store this kind (SSN, living address, ...) of information in an encoded token
  - Don't laugh - unfortunately this really happens out there
Token is still valid - even after a used logged out
Access activities (revealing sensitive information) without authentication

Access Control

How to test?

Observe the activity-flow
- What activity will start after logging in?
- Can you open this activity even without being logged in?
  - Only worth reporting if you are able to see sensitive information without any authentication
- Can you access this activity without necessary permissions? (i.e. admin interface)
  - Are you even able to perform any admin actions?
Access content of other users
- Images, Videos, Messages, ...

What to report?

Access activities (revealing sensitive information) without authentication
Perform actions without necessary privileges.
- If functionality is bound to the UI and not the user (w/ the needed permissions)

Previous3.5 Log analysis Next4. APK TAMPERING

Last updated 5 years ago

Was this helpful?

User Login & Session Management

How to test?

For each penetration test, ALWAYS demand at least two user accounts. If different levels of privileges (read-only, write permissions or full admin) exist - at least one user per level.

Have a look at the request (what parameters are transmitted, ...).
- Tweak around with them (i.e. SQLi against the backend)
- Is the connection to the backend encrypted (SSL in place)?
- Do they get stored?
  - Where do they get stored?
  - How do they get stored? (Clear-text vs. encoding vs. encryption)
    At want point do they get decrypted/-coded?

Switch tokens or other session values with other logged in users

Are the tokens bound to the session or do they need to be valid only?
Decode the token and check what kind of sensitive information is stored within

Logout

Reuse old tokens and test if they are still valid as well

What to report?

No SSL (https) used while authenticating against the backend.
Any request-misuse you were able to identify
Improper session / user-credential storage (stored in clear-text or weakly encrypted)
Improper storage location (i.e. config.txt with credentials will be stored on the SD card)
Token is not bound to user-session
Token contains sensitive information
- In combination with no SSL (https) in place? Even worse.
- Is it necessary to store this kind (SSN, living address, ...) of information in an encoded token
  - Don't laugh - unfortunately this really happens out there
Token is still valid - even after a used logged out
Access activities (revealing sensitive information) without authentication

Access Control

How to test?

Observe the activity-flow

What activity will start after logging in?
Can you open this activity even without being logged in?
- Only worth reporting if you are able to see sensitive information without any authentication
Can you access this activity without necessary permissions? (i.e. admin interface)
- Are you even able to perform any admin actions?

Access content of other users

Images, Videos, Messages, ...

What to report?

Access activities (revealing sensitive information) without authentication
Perform actions without necessary privileges.
- If functionality is bound to the UI and not the user (w/ the needed permissions)