3.1 Intro to Web App Pentesting
β‘ Prerequisites
Basic Network and Cybersecurity Concepts
π Learning Objectives
Understand Web protocols
Perform webapps enumeration
Perform SQL injection, XSS and brute-force attacks
π¬ Training list - PentesterAcademy/INE Labs
subscription required
βWeb Application Basicsβ
βWeb Apps Tools of Tradeβ
β
Web App Pentesting is a method of evaluating the security of a web application by simulating a cyberattack. The goal of such testing is to identify vulnerabilities and weaknesses within the application that malicious hackers could exploit. By conducting these tests, organizations can proactively strengthen their web applications' security and protect sensitive data.
Key aspects of web application penetration testing include:
Identifying Vulnerabilities: Penetration testers aim to discover security vulnerabilities, such as code flaws, misconfigurations, and design weaknesses that could be exploited by attackers. Common vulnerabilities include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure authentication methods.
Mimicking Real Attacks: Testers simulate real-world attack scenarios to determine how an attacker might compromise the application. This might involve attempting to gain unauthorized access, execute code, or extract sensitive data from the application.
Manual and Automated Testing: A combination of manual testing by skilled security professionals and automated tools is typically used. Manual testing allows for more comprehensive exploration, while automated tools can efficiently scan for common vulnerabilities.
Exploitation and Verification: If a vulnerability is identified, the tester may attempt to exploit it to demonstrate its real-world impact. This often involves attempting to escalate privileges or access sensitive data. The success of the exploitation helps confirm the vulnerability's severity.
Reporting: The results of the penetration test are documented in a comprehensive report, including the identified vulnerabilities, their severity, and recommendations for remediation. This report serves as a roadmap for addressing security issues.
Remediation: After vulnerabilities are identified, the development and security teams work together to address and fix the issues. This may involve patching code, changing configurations, or implementing new security measures.
Ongoing Testing: Web application penetration testing is not a one-time effort. Regular testing, especially after significant changes to the application, is crucial to maintaining a strong security posture.
The objectives of web application penetration testing are to:
Uncover and fix security vulnerabilities before malicious attackers can exploit them.
Ensure compliance with industry standards and regulations.
Increase the overall security and trustworthiness of the web application.
Safeguard sensitive data, user accounts, and user privacy.
Minimize the risk of security breaches and data leaks.
Web and HTTP Protocolβ
ππ Some Web Applications Basics notes are already covered here (from the PTSv1 Course)
ποΈ HTTP
(HyperText Transfer Protocol) is a protocol used for communication between web servers and clients, such as web browsers. HTTP
key features are:
Client-Server Architecture
Stateless Protocol
Request Methods
Status Codes (
200
,404
,500
, etc)βHeaders (additional information about the request/response)
Cookies (store info on the client-side)
Encryption (
HTTPS
)
π RFC 9110 - HTTP Semanticsβ
βRequest Methodsβ
HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Commonly used HTTP requests are:GET
- retrieve data from the serverHEAD
- retrieve metadata about a resource from the serverPOST
- submit data to the serverPUT
- update an existing resource on the serverDELETE
- delete a specified resourceCONNECT
- establish a tunnel to the server identified by the target resourceOPTIONS
- describe the communication options for a resourceTRACE
- perform a message loop-back test along the path to the resourcePATCH
- apply partial modifications to a resource
βResponse Status Codesβ
HTTP response status codes indicate whether a specific HTTP
request has been successfully completed. They are grouped in five classes:
100-199
- Informational responses200-299
- Successful responses300-399
- Redirection messages400-499
- Client error responses500-599
- Server error responses
βCookiesβ
An HTTP cookie is a small piece of data that a server sends to a user's web browser. The web browser may store the cookie and send it back to the same server with later requests. Cookies are mainly used for these purposes:
Session management
Personalization
Tracking
βHTTPSβ
ποΈ HTTPS
(HTTP Secure) is the encrypted version of HTTP
that uses a combination of Transport Layer Security (TLS
) or Secure Sockets Layer (SSL
) protocol and HTTP protocol to provide secure communication.When a client connects to an HTTPS-enabled website, the server sends its SSL
/TLS
certificate to the client. The client verifies the certificate to ensure that it is issued by a trusted certificate authority and that it is valid. If the certificate is valid, the client and the server establish a secure connection using a unique session key.
π¬ There are many vulnerable testing web apps like:
βDVWA - Kali Installβ
βbWAPPβ
βMutillidae IIβ
π Check the HackerSploit's Web App Penetration Testing Tutorialsβ# bWAPP with Docker - by HackerSploitsudo docker pull hackersploit/bwapp-dockerβsudo docker run -d -p 80:80 hackersploit/bwapp-docker# Open http://127.0.0.1/install.phpβsudo docker container lssudo docker container stop <CONTAINER_NAME>sudo docker container start <CONTAINER_NAME>
nmap -sV -p 80,443,3306 demossl.ine.local
Scanning & Enumeration
Directory Enumeration - Gobusterβ
βGobuster
- a tool used to brute-force URIs including directories and files as well as DNS subdomains.# Kali Linux Installsudo apt update && sudo apt install -y gobusterβ# Go Installgo install github.com/OJ/gobuster/v3@latest
Directory Enumeration - BurpSuiteβ
βBurpSuite
- an integrated platform for performing security testing of web applications.# Kali Linux Installsudo apt update && sudo apt install -y burpsuite
π¬ Check HTTP Web App Enumeration lab covering HTTP Method and Directory Enumeration Techniques
Scanning WebApp - ZAProxyβ
βZaproxy
- OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.# Kali Linux Installsudo apt update && sudo apt install -y zaproxy
Scanning WebApp - Niktoβ
βNikto
- a pluggable web server and CGI scanner written in Perl, using rfpβs LibWhisker to perform fast security or informational checks.# Kali Linux Installsudo apt update && sudo apt install -y nikto
π¬ Check HTTP Web App Scanning lab covering Web Apps scanning techniques
Attacks
βSQLMap
- an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.# Kali Linux Installsudo apt update && sudo apt install -y sqlmapβXSSer
(Cross-Site Scripter) - an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.# Kali Linux Installsudo apt update && sudo apt install -y xsser
SQLi
ποΈ SQL Injection attacks consist of insertion or βinjectionβ of a SQL
query via the input data from the client to the application, allowing an attacker to interfere with the database queries of the vulnerable web application.
XSS
ποΈ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites, allowing an attacker to compromise the interactions that users have with a vulnerable application.
π¬ Check Web App Attacks lab covering Web Apps Attacking techniques
Last updated