Mapping the Application (Server & Application mapping tools)

We will introduce you now with server and application mapping tools. I will try to make it all clear for you, and I know that you will understand this process after you get some knowledge about the mapping. At the first sight, and when you read the title, it may sound like it’s something confusing and hard, but don’t worry, we’ll take you through the whole process. So, let’s see.

Gathering and examining some key information is the first step of the process while attacking the app. That gives the better information of what you’re up against actually. Let’s see how mapping exercise works. It begins by enumerating the app’s content and its functionality, and all in order to understand what that app actually does and how it really behaves. It is easy to identify, yet sometimes it may stay hidden and requiring some guess work to discover it. Then you have the catalog of the app’s functionality which has been assembled. Now, we’re coming to examining every aspect of its behavior, such as core mechanisms for example.

It enables to identify the key attack surface. That’s how you’re probing to find exploitable vulnerabilities. We will go through practical steps of application’s mapping now. Learning this is very important for your safety, just like you’ve learned about the cyber security tips.

Enumerating Content and Functionality

It is well known that in the typical app most of the content and the functionality can be easily identified by manual browsing. But all in all, when it comes to performing the rigorous inspection of the enumerated content, you will need to use more advanced techniques than just the simple browsing. There we’re coming to Web Spidering. Those are the tools which work by requesting a web page and then requesting the links to the other content. They do it to discover the content fully. It’s done by parsing HTML forms and then submitting them back to the app’s which is using various preset or random numbers. Web Spidering can be also used to parse client-side JavaScript to extract URL’s point for further content. That all sounds great and very useful, but we need to warn you about one thing. There are some applications which parser or links can be extremely dangerous. It may contain the malicious content which can harm the user and its safety. For your best, it is important to learn to recognize the malicious things when you come to them. You can learn it all by following the internet security tips.

That is why there is user-spidering which is more sophisticated and a controlled technique for the same purpose. Here the user controls all the data that are submitted to the application and it that way he ensures that the data validation requirements were met. It is safer option to use while mapping.

Discovering Hidden Content

Anonymous users, authenticated users, the administrators? When the users at one privilege level perform exhaustive spidering, then the app may miss the functionality that is visible to the users of the other levels. For example, it may be something that was used for some kind of testing. Also, there are numerous cases in which the interesting content and the functionality may exist, and sometimes not be identified because of the reason we said at the first place. Backup archives, some old versions of files, source files and even the comments in the source code.

Application Pages Versus Functional Paths

The individual functions are most of the times accessed through a unique URL, which is the most cases the name of the server-side script implements its functions. The parameters don’t tell the app what function to perform, they just tell what is the information to use while performing it. Apps that use REST-stye URLs come to parts where the URL files contain strings that in fact function as parameter values. So, by mapping the URLs, the spider maps, and the app’s functions with the list of known parameter values to those functions. The parameters provide the information to use in performing the function. By identifying the possible attacks against the application, you can better understand the expectations and the assumptions of the app’s developers when you implement the functions. You don’t want the unexpected behaviors within the app, right?

Discovering hidden parameters is a variation of situation where the app uses request parameters for specifying which function should be performed. It arises where the other parameters are used for controlling the app’s logic in a significant way.

Analyzing the Application

The mapping process is full of different parts. Enumerating  the app’s content is only one element of it. It’s not more important than the task of analyzing the app’s functionality, technologies which are employed and the behaviors for identifying the key attack surfaces. It all functions together to target the vulnerabilities that might appear.

Identifying Server-Side Technologies

It is well known that many web servers disclose the fine-grained version information. It happens both with the web server software itself and to any other components that have been installed. Let’s take a look at the HTTP fingerprinting. Any item of the information which is returned by the server may be customized and deliberately falsified with no exceptions. The numerous app servers software allow the administrator to configure the banner which is returned in the server HTTP header. So, it is usual for the attacker to use the other aspects of the web server behaviors with the intention to determinate the software in use. At least, it can be narrowed down having no complete range of possibilities.

Now it is clear that a web server can be fingerprinted in various and numerous ways which are subtle, different than through its server banner. Let’s take a look at some file extensions which are used within the URLs to disclose the platform or programming language implementing the relevant functionality. Those are asp, aspx, jps, cfm, php, d2w, pl, py, dll, nsf and ntf.

It is often possible to verify whether the technology is actually supporting the extensions that are implemented on the server. Detecting the presence of the each file extension mapping by the different error messages is possible. The error messages are generated when that file extension is requested.

Identifying Server Side Functionality

Inferring a great deal about server-side functionality and structure is possible via observing the clues that the app discloses to the client. It is true that it’s often necessary to consider the whole URL and app context to guess the function of different parts of that request. So, what would be the first consideration then? It would be to change the action from view to a possible alternative, which may be edit or add.

Mapping the Attack Surface

This is the final stage of the mapping process. It identifies the various attack surfaces which are exposed to the app and the potential vulnerabilities which are commonly associated with one another. There are key types of functionality and behaviors that you may identify, and of course the types of the vulnerabilities that are commonly found within each one. These are client-side validation, database interaction, display of user supply data, social networking features, error messages and much more.

Hope you’ve learned a bit, and we are sure you do!