# 🔬Web App Scanning ## Lab 1 - [ZAProxy](https://www.zaproxy.org/) > 🔬 [Scanning Web Application with ZAProxy](https://attackdefense.com/challengedetails?cid=1888) > > * Target IP: `192.192.29.3` > * Scan and identify a vulnerable web app (bWAPP) with **ZAProxy** ```bash ip -br -c a eth1@if203734 UP 192.192.29.2/24 nmap -sS -sV 192.192.29.3 ``` * Start **`owasp-zap`** from the start menu * Use **`Manual Explore`** and input the URL * `http://192.192.29.3/` * **Launch Browser** to open the browser session with the ZAP HUB ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-fd31be5d5e1a1a990adeac2cbd77c81ca438e49f%2Fimage-20230504161231898.png?alt=media) * Login to the web app with `bee`:`bug` credentials * set the security level to `low` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-78fbc43ae801dbae4693ac6508589ec62c34c6ff%2Fimage-20230504173337687.png?alt=media) * Try some HTML and SQL Injection or other bugs from the `https://192.192.29.3/portal.php` page ### ZAProxy * Configure authenticated session in ZAProxy ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-010d0fc209ed3290d33df14d067826a38462e8ad%2Fimage-20230504162052925.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e2e321e10931359bc81c181501d7c1963ba5473a%2Fimage-20230504162245625.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e98f807388c6a38bd6050db438f310f14c631d34%2Fimage-20230504162342918.png?alt=media) * Enable `Forced User mode` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-277688dad7f00c6dc7d2c0b038cf85bbc3d2a510%2Fimage-20230504162512403.png?alt=media) * `Include in Context` the Site `https://192.192.29.3/` and confirm with **`OK`** ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-7ae60576df3832c176b2076f2546499beaec75fd%2Fimage-20230504162721398.png?alt=media) * Run a **`Spider`** attack on the site, select the `bee` user and Start the scan ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-22798f311e1d5e8b97ca06194ff4bef4b1ae7363%2Fimage-20230504162803069.png?alt=media) ![196 URLs Found](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-d512e4d4e091b229ef93dfa1303e183a7c57190f%2Fimage-20230504162912742.png?alt=media) * Run an **`Active Scan`** on the site, select the `bee` user and Start the scan ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-a03b0cde9b03a6144c2400f82e4f3b60e6a94760%2Fimage-20230504163034249.png?alt=media) * In the `Alerts` tab check the 🚩`High` risk Alerts ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-7ba8ecbab8442b01424948e605a019858752cf47%2Fimage-20230504172932311.png?alt=media) * Try to navigate to `https://192.192.29.3/htmli_stored.php`, inject the **`XSS`** (**Cross-site Scripting**) payload and Submit it * The XSS payload will be triggered ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9ec4f0403f324f4e6f97ed29da13b8a04517402c%2Fimage-20230504173742160.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-ba1bb162c1a5c26bdfbbf6459b839b08ee1294c8%2Fimage-20230504173751062.png?alt=media) * Using the `ZAP HUD`, Site Alerts can be accessed. Every vulnerability is clickable and can be directly tried via the URL ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-6349080c4d8e8c283db1ec7df7b6a26aca9a64b5%2Fimage-20230504174218018.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-5603c68e16731c347d81a3eb5a23ffcd4bc75113%2Fimage-20230504174327973.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-afc013f668a2691545386866b68281c9861fcb0b%2Fimage-20230504174441116.png?alt=media) * Try a SQL Injection attack by opening this link * `http://192.210.141.3/sqli_1.php?action=search&title=ZAP'+OR+'1'%3D'1'+--+` * The table records will be dumped on the web page ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-4260284ec020074508d6fe924052d8362b14f6f6%2Fimage-20230504175036074.png?alt=media) ## Lab 2 - [Nikto](https://github.com/sullo/nikto) > 🔬 [Scanning Web Application with Nikto](https://attackdefense.com/challengedetails?cid=2128) > > * Target IP: `192.157.60.3` > * Scan and identify web app vulnerabilities (Multillidae II) with **Nikto** > * LFI ```bash ip -br -c a eth1@if203734 UP 192.157.60.2/24 nmap -sS -sV 192.157.60.3 ``` * Open the browser and navigate to * `http://192.157.60.3/` ### Nikto * In the Bash terminal run **`nikto`** and output the results to a file ```bash nikto -h http://192.157.60.3 -o niktoscan-192.157.60.3.txt ``` ![nikto](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-894b6ef91a635cc7e89d4e1626359383f2a09103%2Fimage-20230504182151396.png?alt=media) * Scan the target web app for **L**ocal **F**ile **I**nclusion (**LFI**) vulnerability by copying the link from the browser * `http://192.157.60.3/index.php?page=arbitrary-file-inclusion.php` * output to an `HTML` file ```bash nikto -h http://192.157.60.3/index.php?page=arbitrary-file-inclusion.php -Tuning 5 -o nikto.html -Format htm ``` ![IDOR - LFI](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9b75584780e20472efc3ef8b4f58ba6f61ecde4e%2Fimage-20230504182309267.png?alt=media) ``` firefox nikto.html ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9d96ec1fe1ff987edfd4a5723231db19bfab6b2d%2Fimage-20230504183330574.png?alt=media) ![LFI](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-ed6f89ace7f5ca29813e3d546bdb28a33b8fb166%2Fimage-20230504183356515.png?alt=media) * *The PHP-Nuke Rocket add-in is vulnerable to **file traversal**, allowing an attacker to view any file on the host* * View the contents of the `passwd` file of the target machine * `http://192.157.60.3/index.php/index.php?page=../../../../../../../../../../etc/passwd` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9c96f753bb6805b154bd11c184cb2254638e84e8%2Fimage-20230504183457260.png?alt=media) ***