In November this year, Senior Offensive Security Consultant Ka Wing Ho was invited to give a talk at Hack Sydney 2024 on the topic of open source intelligence (OSINT) as part of web application penetration testing. This blog is a summary of Ka Wing’s talk and is aimed at junior penetration testers or budding bug bounty hunters wanting to upgrade their web skills.
Very often junior testers will encounter a 403/404 error when browsing to an IP or hostname, they will then quickly give up and move on, assuming there is nothing there.
The problem with this approach is that the majority of hackers who do this will all end up looking at the same attack surface which has been picked clean, get discouraged, move on, and rinse and repeat.
In Ka Wing’s experience, nine times out of ten, there is something more to these apps that you just can’t see. Read on to find out how one uses OSINT to reveal more about attack surface and the underlying tech stack information for web applications as Ka Wing takes us through the two scenarios below.
They Index Everything? We Google Dork Everything
In this first example, we have a small error message returned by an API endpoint.
We perform a simple Google Dork by wrapping it in quotes and receive – one measly search result. (Read more about Google Dorking here)
At first it may seem that we’ve hit a dead end, but by downloading and opening the spreadsheet, we actually get more context and detail.
The string com.qas.proweb.QasException
is a string reminiscent of a Java Stack trace, where the package name is more likely to pop up elsewhere on the Internet in places such as Stack Overflow.
Let’s try dorking for that instead:
Looks like our assumption was correct! Google tells us that we are up against ProWeb by Experian. Let’s have a look at their website:
Although not shown, one of the ProWeb manuals we discovered revealed that a special suffix could be sent in requests to retrieve internal information. We included that suffix and were able to disclose relevant internal information such as a backend physical file path.
We can see now that we’ve managed to escalate an uninteresting error message to a proper information disclosure.
Searching Through Time and Space
The Internet Archive is a treasure trove of information and is especially useful for the collection of data OSINT-style. There are neat tools out there to harvest URLs from archive.org such as waybackurls.
In this example, we are on a web application penetration test, where initial recon steps did not provide much information, even when searching through the Internet Archive.
However, we have performed enough reconnaissance at this point to know that there were other instances out there, and that the application was based on a vendor product called “ePathway”. Dorking for the default landing page URL revealed the following:
From here, we can repeat what we just did for our testing instance and harvest the archived URL endpoints from all these other hosts which have been up for longer.
and mirror them across to our testing instance.
We can then see that we’ve passively uncovered endpoints for our target which we can spray as a wordlist, some of which aren’t directly advertised on the frontend. From there, any valid hits would result in an additional attack surface.
We’ve also gained valuable insight into how directories and files are named which could educate further directory brute-forcing efforts.
Conclusion
This blog touches on just a few OSINT techniques that can hopefully help you in both your client engagements and side ventures, no matter which web application you encounter.
Defenders may consider some of the following countermeasures:
Stay silent: Give the attackers as little fingerprintable information as possible, making them work harder or switch targets out of boredom/frustration
Adversarial noise: Use false information to deliberately confuse attackers and waste their time
Proper configuration: As a defence-in-depth, only expose what infrastructure is needed and ensure your applications return generic responses where possible
Ka Wing Ho
Senior Offensive Security Consultant, Sekuro
Ka Wing is a Senior Offensive Security Consultant at Sekuro. He is a UNSW alum with a degree in Computer Science majoring in Security. Ka Wing has more than five years’ industry experience in Offensive Security, with a passion for pen testing, bug bounties and Code Reviews.