What I do during a test depends very much on what the client wants testing and what sort of system is involved. As a guide for clients who are considering commissioning a test, my starting point for a general vulnerability assessment is as follows:
- Basic reconnaissance - an analysis of what web pages accept what data values as GET values, POST values and cookies. This provides the basic "attack surface."
- Bad URLs - trying to break the application by asking it for invalid URLs, valid URLs when it's not expecting them, and so on.
- Corrupted data handling - how the application handles the input of values that it wouldn't expect. These sorts of tests typically uncover SQL Injection vulnerabilities.
- Obfuscated data handling - similar to corrupted data, but using clever tricks, escape sequences and scripting to try to sneak invalid characters past the application's input filters.
- Returned user data - how the web application vets and cleans any input data before returning it to the user in the form of error messages and the like. This is primarily looking for Cross Site Scripting vulnerabilities.
- Cookie weaknesses - analysis of how the application uses its cookies and how it reacts when they are missing or corrupted. This step tends to uncover session fixation vulnerabilities and weak or predictable session keys.
- Hidden fields or other plain text tranmissions - I look at the communications between client and server, which reveals just what information is being passed around and what might be liable to evesdropping or interception/modification.
- Filenames in data - I look for anything that appears to be a filename or similar resource anywhere in the communications. These often lead to remote file inclusion, information exposure and directory traversal problems.
The above is a typical, but by no means exhaustive list. I'll run tests and checks on whatever else seems appropriate or is asked for. I can check versions of identifiable library code to ensure they are the most up to date version, I can do default and obvious password checks, brute forcing and so on.