Anyone have experience pen testing an onion site? Normally you would test the target site and the hosting server. What might you do to modify technique for testing an onion site?
by /u/Grazelda · 0 votes · 18th January, 2022 22:49
Anyone have experience pen testing an onion site? Normally you would test the target site and the hosting server. What might you do to modify technique for testing an onion site?
/u/Paris · N/A votes · 18th January, 2022 - 23:41 · Link
First is to find how the website is being served to you. If you can break how it's being served you can possibly extract the source files of the website (which allows for total compromise). If you don't see any holes in that way, look at how the website is programmed. One easy way to find what kind of programming language is shown is from the ending file types being served. If it's .html generally that's going to be a static site making way less holes possible. If it's .php that's probably a dynamic site. If it's ending without any file types you can guess the language from how GET requests are handled (go down that rabbit hole if you are interested). After that look at how POST requests are handled. If it's dynamic, is it susceptible to blind injection attacks? Does it reject or just fail? Any returned inputs? Does it save data and serve it to others? Could the output be processed in a way which is able to be broken out of? Any file uploads? Does it process and clean images? Does it check file types? Is the upload directory able to be viewed directly? If you upload a dynamic script (in the same language of the site) does it run it? How are cookies handled? Any exploits can be found from the mishandling of those cookies? Onion sites are the same as regular sites. The only exception is the user on the site will be from 127.0.0.1 (localhost) which makes it more likely for things to be exploitable on the server layer if not configured properly. For example apache server-status and server-info was only supposed to be reported by 127.0.0.1 which is great for regular websites not great for sites which have onion domains. There is a reason why NGINX is used for basically all the large onion sites. Harder to fuck up on it.
/u/Grazelda · N/A votes · 19th January, 2022 - 00:56 · Link
Appreciated. About 90% of what you offered was already in the logic flow but that remaining 10% forces some wonderful synapses to fire. And it made me realize the offered question was incomplete. My perspective is coming from the dev side and not the red team, trying to harden my code against attack. Same core issues but maybe from more a preventive eye.
/u/sstanl · N/A votes · 19th January, 2022 - 08:15 · Link
One easy way to find what kind of programming language is shown is from the ending file types being served. If it's .html generally that's going to be a static site [...] With the availability of both in-process web-servers as well as frameworks/APIs allowing to control the whole routing and request handling pipeline, this became a very rough guess ;) For example apache server-status and server-info was only supposed to be reported by 127.0.0.1 Awesome, finally I know the background for these silly requests issued by some bots on my site over and over ... ;)
/u/bigya45 · N/A votes · 19th January, 2022 - 19:18 · Link
Great answer.
/u/HeadJanitor · N/A votes · 18th January, 2022 - 23:26 · Link
[removed]
/u/Grazelda · N/A votes · 18th January, 2022 - 23:31 · Link
Not sure I would completely agree, however I would welcome any DMs on this issue.
/u/Paris · N/A votes · 18th January, 2022 - 23:42 · Link
Ignorance does nothing but hide the truth. If it's unsafe, having the knowledge allows you to correct it. Otherwise it's left vulnerable. There is no security in obscurity.
/u/Harlom · N/A votes · 18th January, 2022 - 23:42 · Link
You want to find someone legit to do pen testing, maybe befriend someone irl, definitely don't trust dread users to pen test a site, if they find anything of use best believe they won't come back to tell you about it.
/u/decaptchamyass · N/A votes · 19th January, 2022 - 08:07 · Link
You mean security thru obscurity?
/u/Paris · N/A votes · 19th January, 2022 - 18:19 · Link
There is NO security in obscurity. Dread⚠️ without the D.