Source to Sink: Core Penetration Testing Approach

🎯 1. Investigating Blind Spots in Authenticated Areas

🚩 Source: Parameters in authenticated functionality
⚠️ Sink: Privileged operations

user_id = request.form['user_id']  # 🚩 Source
db.execute(f"DELETE FROM users WHERE id = {user_id}")  # ⚠️ Sink

🔗 Attack Flow:
Source → Privilege bypass → Sink

🧼 2. Input Sanitization Analysis

🚩 Source: User input fields
⚠️ Sink: Rendering functions

const userComment = req.body.comment;  // 🚩 Source
const sanitized = userComment.replace('<script>', '');  // 🛑 Vulnerable
res.send(`<div>${sanized}</div>`);  // ⚠️ Sink

🔗 Attack Vector:
Source → Weak sanitization → Sink

💾 3. Dangerous Database Query Flows

🚩 Source: Search fields
⚠️ Sink: Query execution

String userInput = request.getParameter("search");  // 🚩 Source
stmt.executeQuery("SELECT * FROM products WHERE name = '" + userInput + "'");  // ⚠️ Sink

🔗 Vulnerability Flow:
Source → Concatenation → Sink

🔑 4. Account Management Attack Vectors

🚩 Source: Reset tokens
⚠️ Sink: Auth change functions

email = params[:email]  # 🚩 Source
reset_token = user.id.to_s + Time.now.strftime("%Y%m%d")  // 🎲 Predictable
user.update(password: new_password)  # ⚠️ Sink

🔗 Attack Path:
Source → Weak token → Sink

💻 5. OS Command Injection Chains

🚩 Source: Network parameters
⚠️ Sink: System calls

$user_ip = $_GET['ip'];  // 🚩 Source
system("traceroute " . $user_ip);  // ⚠️ Sink

🔗 Dangerous Flow:
Source → Unvalidated → Sink

⚙️ 6. Language-Specific Source-Sink Pairs

Node.js Prototype Pollution:

const userData = JSON.parse(req.body);  // 🚩 Source
Object.assign({}, userData);  // 🧩 Vulnerable merge
if (user.isAdmin) {  // ⚠️ Sink
  grantAdminAccess();
}

🐍 Python Deserialization:

imported_data = request.GET.get('data')  # 🚩 Source
pickle.loads(base64.b64decode(imported_data))  # ⚠️ Sink

🗺️ Source-Sink Mapping Table

🔎 Penetration Testing Strategy:

1. Map all 🚩 Sources
2. Identify critical ⚠️ Sinks
3. Trace 🔗 data flows
4. Verify 🛡️ sanitization at each hop