Web app security testing with browsers
Use cases
The Matrix
Open Dev Tools
Switching User Agents
Google Chrome
Mozilla Firefox
Edge/IE
Edit and Replay Requests
Mozilla Firefox
Editing Cookies
Google Chrome
Mozilla Firefox
Edge/IE
Editing Local Storage
Google Chrome
Mozilla Firefox
Edge/IE
Disable Javascript
Google Chrome
Mozilla Firefox
View Headers
Google Chrome
Mozilla Firefox
Edge/IE
Capture Screen-shots
Google Chrome
Mozilla Firefox
Edge/IE
Offline mode
Google Chrome
Mozilla Firefox
Encode and Decode
Disable CSS
Introduction
Can you perform web application security testing just using a browser? Think of a scenario where you have to do security testing from a very limited environment where you have no access to run scripts or tools and all you have is a browser. This guide looks at web application security testing from such a locked down scenario. The goal is to cover as many security test cases as possible from a browser. Even though it’s not possible to perform all web application related security test cases from browsers, some good coverage can be guaranteed with the help of the same. A browser alone cannot replace conventional web application security testing methodologies which involve proxies and scanners. Relying completely on security tests that can be done from a browser is never recommended.
One of the other potential use cases for this guide would be while preparing security testing reports. The most important section in any vulnerability finding write-up is ‘reproduction steps’. Most security professionals make use of tools like Burp Suite or ZAP extensively for this step. However, the major audience (including developers) of the security testing won’t be having enough knowledge about setting up the proxy and similar tools – making the vulnerability reproduction tough on their end. As a matter of fact, you might have been in post pen-testing meetings where stakeholders asked you to reduce the likelihood of some vulnerabilities just because exploiting them requires setting up a proxy. After going through this guide, you will be able to re-write most of those write-ups with simple steps that just involves browser – which almost everyone on the target audience of the testing report has access to.
It is to be noted that this research only focuses on what all web application security related tests that can be done just by using native features of the browser. This does not cover what these browsers can do with the help of extensions. Almost all major browsers support installing extensions these days and there are lot more powerful things that can be done with the help of them, which won’t be covered in this paper.
Majority of the article focuses on 'developer tools' provided by the browsers. Even though these tools are aimed at making web development process easy, we would be able to help them in covering test cases as well.
Potential use cases for this guide
- If you are on day one of a week-long web application penetration testing project, and the support team is still trying to figure out how can they give you a non-locked-up workstation, you can rely on this document to understand the application better.
- If you want to make your pentest reports more friendly to the audience.
- If you want to train users or developers of basic web application related security issues
- For conducting internal company-wide CTFs. You can make CTFs that can be solved just by using the browser and that can help you bring more people onto the wagon since almost everyone must be having access to a browser these days.
- Just by putting this guide and comparison table out there, we are telling browsers that we appreciate these features offered by them and we expect more.
This guide cannot be used as:
- A complete web application penetration testing guide.
- A complete web application penetration testing check-list.
Opening Dev Tools
This can be done in different ways:- By pressing F12.
- By pressing Ctrl + Shift + I on Windows.
- By pressing Cmd + Option + Ion Mac.
- By right clicking on the web page and then selecting Inspect on Google Chrome.
- By clicking on the kabob menu and then navigating to More Tools and then Developer Tools on Google Chrome.
- By right clicking on the web page and then selecting Inspect Element on Mozilla Firefox.
- By clicking on the hamburger menu and then navigating to Web Developer and then Toggle Tools on Mozilla Firefox.
- By clicking on the gear icon and then navigating to F12 Developer Tools on Edge/IE.
- By going to Safari > Preferences > Advanced > Then tick the Show Develop menu in menu bar checkbox. Then press Cmd + Option + Ion Safari
- By going to Safari > Preferences > Advanced > Then tick the Show Develop menu in menu bar checkbox. Then go to Develop > Show Web Inspector on Safari.
Support Matrix
| Function | Google Chrome | Mozilla Firefox | Edge/IE | Safari |
|---|---|---|---|---|
| Switching User Agents | ✔ | ✔ | ✔ | ✔ |
| Edit and Replay Requests | ✖ | ✔ | ✖ | ✖ |
| Editing Cookies | ✔ | ✔ | ✔ | ✖ |
| Editing Local Storage | ✔ | ✔ | ✔ | ✖ |
| Disable CSS | ✔ | ✔ | ✔ | ✔ |
| Disable Javascript | ✔ | ✔ | ✖ | ✔ |
| View Headers | ✔ | ✔ | ✔ | ✔ |
| Native screen-shot capture | ✔ | ✔ | ✔ | ✖ |
| Offline mode | ✔ | ✔ | ✖ | ✖ |
| Encode and Decode | ✔ | ✔ | ✔ | ✔ |
Switching User Agents
Google Chrome: Switching User Agents
- Open browser's Developer Tools.
- Click the menu button to the right of the Console tab at the bottom of the Developer Tools pane and select Network Conditions
- Uncheck the “Select automatically” radio button.
- Select the user agent from dropdown or enter a custom user agent
Mozilla Firefox: Switching User Agents
- Navigate to Firefox’s about:config page and click on I accept the risk!
- Type useragent into the search field.
- Look for general.useragent.override, if you can't see this preference, right-click on the about:config page > New > String
- Name the preference general.useragent.override
- Right click on the general.useragent.override preference and select Reset to switch back to the default user agent.
Edge/IE: Switching User Agents
- Open browser's Developer Tools.
- Click on Emulation tab
- Select user agents from drop down menu
Edit and Replay Requests
Mozilla Firefox: Edit and Replay Requests
- Open browser's Developer Tools.
- Click on Network tab
- Perform any action on the web application
- Right click on the HTTP request from the list and select Edit and Resend
- Make desired modifications and click on Send button
- Right click on the modified request and click on Open in New Tab
Editing Local Storage
Mozilla Firefox: Editing Local Storage
- Open browser's Developer Tools.
- Click on Storage tab
- Navigate to Local Storage and then select the application domain
- Double click on any entry to edit them
Google Chrome: Editing Local Storage
- Open browser's Developer Tools.
- Click on Storage tab
- Navigate to Local Storage and then select the application domain
- Double click on any entry to edit them
Edge/IE: Editing Local Storage
- Open browser's Developer Tools.
- Click on Console tab
- Use localStorage, localStoragegetItem and localStorageSetItem
Disable JavaScript
Google Chrome: Disable JavaScript
- Open browser's Developer Tools.
- Click on three dots menu on the right side of the web developer toolbar and click on Settings
- Navigate to Preferences tab
- Under Debugger, check the Disable JavaScript box
Mozilla Firefox: Disable JavaScript
- Open browser's Developer Tools.
- Click on settings on the right side of the web developer toolbar
- Under Advanced Settings, check the Disable JavaScript * box
Viewing Headers
Google Chrome: Viewing Headers
- Open browser's Developer Tools.
- Navigate to Network tab
- Perform any action on the web application
- Select the page name from left side
Mozilla Firefox: Viewing Headers
- Open browser's Developer Tools.
- Navigate to Network tab
- Perform any action on the web application
- Select the page name from left side
Edge/IE: Viewing Headers
- Open browser's Developer Tools.
- Navigate to Network tab
- Click on Play button
- Perform any action on the web application
- Click on Stop button
- Select the page name and click on Details tab
Capture Screen-shots
Google Chrome: Capture Screen-shots
- Open browser's Developer Tools.
- Press on Toggle Device Toolbar button or press Ctrl + Shift + M
- Click on three-vertical-dots menu on the right
- Click on Capture Screenshot
Mozilla Firefox: Capture Screen-shots
- Click on three-horizontal-dots on the URL bar
- Click on Take a Screenshot
Edge/IE: Capture Screen-shots
- Click on the pencil-and-selection icon on the URL bar
- Click on save button or select an area with the help of scissor tool
Offline mode
Google Chrome: Offline mode
- Open browser's Developer Tools.
- Navigate to Network tab
- Check the Offline box
Mozilla Firefox: Offline mode
- Select Work Offline from the menu
Encode and Decode
Browser consoles can be used for basic encoding\decoding functions.| Function | Code |
|---|---|
| Base64 encode | |
| Base64 decode | |
| URL encode | |
| URL decode | |
| HTML encode | |
| HTML decode | |
Disable CSS
- Open browser's Developer Tools.
- Click on Console tab
- Copy and paste the following and press enter.
| Function | Code |
|---|---|
| To remove all external style-sheets | |
| To remove all internal style-sheets | |
| To remove all inline styles | |
| To remove everything from head tag | |