Intro to Web App Pentesting

⚡ Prerequisites

• Basic Network and Cybersecurity Concepts

📕 Learning Objectives

• Understand Web protocols

• Perform webapps enumeration

• Perform SQL injection, XSS and brute-force attacks

🔬 Training list - PentesterAcademy/INE Labs

subscription required

• Web Application Basics

• Web Apps Tools of Trade

Web application penetration testing is a process of identifying and exploiting vulnerabilities in web applications to assess their security posture.

Web and HTTP Protocol

🔗📝 Some Web Applications Basics notes are already covered here (from the PTSv1 Course)

🗒️ HTTP (HyperText Transfer Protocol) is a protocol used for communication between web servers and clients, such as web browsers. HTTP key features are:

• Client-Server Architecture

• Stateless Protocol

• Request Methods

• Status Codes (200,404,500, etc)

• Headers (additional information about the request/response)

• Cookies (store info on the client-side)

• Encryption (HTTPS)

📌 RFC 9110 - HTTP Semantics

Request Methods

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Commonly used HTTP requests are:

GET - retrieve data from the server

HEAD - retrieve metadata about a resource from the server

POST - submit data to the server

PUT - update an existing resource on the server

DELETE - delete a specified resource

CONNECT - establish a tunnel to the server identified by the target resource

OPTIONS - describe the communication options for a resource

TRACE - perform a message loop-back test along the path to the resource

PATCH - apply partial modifications to a resource

Response Status Codes

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. They are grouped in five classes:

• 100-199 - Informational responses

• 200-299 - Successful responses

• 300-399 - Redirection messages

• 400-499 - Client error responses

• 500-599 - Server error responses

Cookies

An HTTP cookie is a small piece of data that a server sends to a user's web browser. The web browser may store the cookie and send it back to the same server with later requests. Cookies are mainly used for these purposes:

• Session management

• Personalization

• Tracking

HTTPS

🗒️ HTTPS (HTTP Secure) is the encrypted version of HTTP that uses a combination of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol and HTTP protocol to provide secure communication.

When a client connects to an HTTPS-enabled website, the server sends its SSL/TLS certificate to the client. The client verifies the certificate to ensure that it is issued by a trusted certificate authority and that it is valid. If the certificate is valid, the client and the server establish a secure connection using a unique session key.

🔬 There are many vulnerable testing web apps like:

• Juice Shop - Kali Install

• DVWA - Kali Install

• bWAPP

• Mutillidae II

📝 Check the HackerSploit's Web App Penetration Testing Tutorials

Copy

# bWAPP with Docker - by HackerSploit
sudo docker pull hackersploit/bwapp-docker

sudo docker run -d -p 80:80 hackersploit/bwapp-docker
# Open http://127.0.0.1/install.php

sudo docker container ls
sudo docker container stop <CONTAINER_NAME>
sudo docker container start <CONTAINER_NAME>

nmap -sV -p 80,443,3306 demossl.ine.local

Scanning & Enumeration

Directory Enumeration - Gobuster

Gobuster - a tool used to brute-force URIs including directories and files as well as DNS subdomains.

# Kali Linux Install
sudo apt update && sudo apt install -y gobuster

# Go Install
go install github.com/OJ/gobuster/v3@latest

Directory Enumeration - BurpSuite

BurpSuite - an integrated platform for performing security testing of web applications.

# Kali Linux Install
sudo apt update && sudo apt install -y burpsuite

🔬 Check HTTP Web App Enumeration lab covering HTTP Method and Directory Enumeration Techniques

Scanning WebApp - ZAProxy

Zaproxy - OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

# Kali Linux Install
sudo apt update && sudo apt install -y zaproxy

Scanning WebApp - Nikto

Nikto - a pluggable web server and CGI scanner written in Perl, using rfp’s LibWhisker to perform fast security or informational checks.

# Kali Linux Install
sudo apt update && sudo apt install -y nikto

🔬 Check HTTP Web App Scanning lab covering Web Apps scanning techniques

Attacks

SQLMap - an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

# Kali Linux Install
sudo apt update && sudo apt install -y sqlmap

XSSer (Cross-Site Scripter) - an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.

# Kali Linux Install
sudo apt update && sudo apt install -y xsser

SQLi

🗒️ SQL Injection attacks consist of insertion or “injection” of a SQL query via the input data from the client to the application, allowing an attacker to interfere with the database queries of the vulnerable web application.

• What is a SQLi? - PortSwigger

XSS

🗒️ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites, allowing an attacker to compromise the interactions that users have with a vulnerable application.

• How does XSS Work? - PortSwigger

🔬 Check Web App Attacks lab covering Web Apps Attacking techniques