Can you perform web application security testing just using a browser? Think of a scenario where you have to do security testing from a very limited environment where you have no access to run scripts or tools and all you have is a browser. This guide looks at web application security testing from such a locked down scenario. The goal is to cover as many security test cases as possible from a browser. Even though it’s not possible to perform all web application related security test cases from browsers, some good coverage can be guaranteed with the help of the same. A browser alone cannot replace conventional web application security testing methodologies which involve proxies and scanners. Relying completely on security tests that can be done from a browser is never recommended.
One of the other potential use cases for this guide would be while preparing security testing reports. The most important section in any vulnerability finding write-up is ‘reproduction steps’. Most security professionals make use of tools like Burp Suite or ZAP extensively for this step. However, the major audience (including developers) of the security testing won’t be having enough knowledge about setting up the proxy and similar tools – making the vulnerability reproduction tough on their end. As a matter of fact, you might have been in post pen-testing meetings where stakeholders asked you to reduce the likelihood of some vulnerabilities just because exploiting them requires setting up a proxy. After going through this guide, you will be able to re-write most of those write-ups with simple steps that just involves browser – which almost everyone on the target audience of the testing report has access to.
It is to be noted that this research only focuses on what all web application security related tests that can be done just by using native features of the browser. This does not cover what these browsers can do with the help of extensions. Almost all major browsers support installing extensions these days and there are lot more powerful things that can be done with the help of them, which won’t be covered in this paper.
Majority of the article focuses on 'developer tools' provided by the browsers. Even though these tools are aimed at making web development process easy, we would be able to help them in covering test cases as well.
|Function||Google Chrome||Mozilla Firefox||Edge/IE||Safari|
|Switching User Agents||✔||✔||✔||✔|
|Edit and Replay Requests||✖||✔||✖||✖|
|Editing Local Storage||✔||✔||✔||✖|
|Native screen-shot capture||✔||✔||✔||✖|
|Encode and Decode||✔||✔||✔||✔|
|To remove all external style-sheets||
|To remove all internal style-sheets||
|To remove all inline styles||
|To remove everything from head tag||