Insider attacks are more lethal than the one achieved by an external entity,so sometimes Black box testing would be a waste of money and time .
Career as a penetration tester is not a sprint,it is a marathon.
Important HTTP methods for penetration testing
The GET method:passes the parameters to the web application via the URL itself.
The POST method:is similar to the GET method and is used to retrieve data from the server but it passes the content via the body of the request.
The HEAD method:The HEAD method is used by attackers to identify the type of server as the server only responds with the HTTP header without sending any payload.It’s a quick way to find out the server version and the date.
The TRACE method:is used to identify any alterations to request by intermediary devices such as proxy servers and firewalls.The TRACE method to steal user’s cookies.
The PUT/DELETE methods:are part of WebDAV,which is an extension to http protocol and allows management of documents and files on the web server.
The OPTIONS method:used to query the server for the methods that it supports.
Session tracking using cookies:
The ID could be shared using the GET method or the POST method.When using the GET method,the session ID would become a part of the URL;when using the POST method,the session ID is shared in the body of the HTTP message.The server would maintain a table mapping usernames to the HTTP message.
the cookie is always set and controlled by the server.
persistent and non-persistent cookies.
HTTP is the communication mechanism used to transfer HTML formatted pages.