Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Web application penetration testing lab setup guide

747 vues

Publié le

Web Application Pentesting WAPT

Publié dans : Logiciels
  • Soyez le premier à commenter

Web application penetration testing lab setup guide

  1. 1. Web Application Penetration Testing setup A guide to setup a basic Web Application PenTesting lab environment. Octogence Tech Solutions http://octogence.com/
  2. 2. Web Application Penetration Testing setup This guide aims at providing a quick introduction to conducting a Web Application PenTest with a basic lab setup. This is not a comprehensive course and should be used only as a basic tutorial. The tools and technologies mentioned in this guide are open source or freeware. Legal Issues: Before conducting any kind of testing assessment one must take permission from the owner of the application in written. One common mistake people make while performing Web Application PenTest is to also test the host running the application, without the permission of the owner of the hosting system. Do not conduct any kind of test without explicit permission of the owner. Web Applications are complex piece of Software and so is their security. With ever changing technologies and new ones being frequently introduced, vulnerabilities and attack vectors are also increasing day by day. Comprehensive testing which follows a hybrid approach is a must to identify vulnerabilities rooted deeply into the application. Let's go ahead and understand how to setup an environment and use it to perform WAPT. H/W Requirements: A machine with minimum 2 GB RAM and a 2.0+ GHz processor would be good. Network card for network connectivity would also be required. S/W Requirements: .NET, Java, Python (2.7), Perl, Virtualization Environment (Virtual Box, VMware player) Tools of the trade: OS: Windows/Mac/Linux Browsers: Internet Explorer, Firefox, Chrome Application Proxy/Scanner: Burp Suite free, ZAP, IronWasp, SQLMap, SSLScan, Nikto, Netsparker Community Hosting Environment: XAMP, IIS Miscellaneous: Notepad++, Greenshot, Browser Extensions To start with the basics first we need a base OS , we will be using Windows 7 for ease of use and software compatibility. *PenTesting distros such as Kali Linux and Samurai WTF are available to perform security assessments, but as they contain a huge list of tools and scripts, people starting in this domain find it difficult to directly go to them and learn. Once you are comfortable with this setup it would definitely be a good option to move to them. If desired a virtual environment setup can be used along with the base OS.
  3. 3. Let's setup our base environment:  Install Firefox and Chrome (IE is already installed). We need all three browsers as they use different engines and act slightly different in the way they handle applications.  Download and install Java, Python (2.7), Perl and .Net  Download and Install XAMP server and IIS services. Now comes the turn of the tools required for testing:  Download and install Burp Suite free (Java required), ZAP (Java required), Netsparker Community (.Net 4 required)  Download and extract SQLMap (Python required), SSLScan and Nikto (Perl required) Last but not the least, some miscellaneous tools:  Download and install Notepad++ and GreenShot  Install Browser extensions: FroxyProxy, Wappalyzer, Shodan Our environment is setup and now we can move forward. Our first step is to configure and check connectivity to the target application.  If the testing environment is already hosted then we can simply open the application through its URL and check accessibility.  Else if the source code is provided we can configure the application in our local server environment (XAMP/IIS) and then check if it is working fine or not.  Once the accessibility is verified we need to check if the credentials provided (Gray Box testing) are working fine or not. We can also create test accounts in case application provides such functionalities. Now as the application is accessible our first job is to perform information gathering.  We can use wappalyzer addon to identify technologies being used.  Google dorks to identify sensitive paths and files (E.g. site:example.com filetype:swf).  Use PunkSpider to find previously known vulnerabilities.  Identify open ports and banners using Shodan addon.  Identify core functionalities (E.g. CC Payment)
  4. 4. Figure 1. Wappalyzer Result After this we can go ahead to run an automated scan on the application.  To scan the application we will be using Netsparker Community. There are many commercial options available for this such as IBM AppScan, Netsparker Commercial, HP WebInspect etc.  In Netsparker we can provide the URL of the application to be tested and start the scan.  Some advanced featured present in commercial version allow providing credentials, cookies, generate report etc. Figure 2. Netsparker Community
  5. 5. Note down the details related to the vulnerabilities discovered.  We can use Notepad++ for notes and take screenshots (if required) using Greenshot.  In the vulnerability details the main components are (available as per vulnerability): Vulnerability name and Description, URL, Parameter, Payload, Steps to reproduce, HTTP Request, HTTP Response and Mitigation. There are also many Open Source and free tools available to perform WAPT.  To identify issues related to web server use Nikto.  For applications using SSL/TLS we can use SSLScan or SSLTest.  To test for SQL injection vulnerabilities we can use SQLMap Figure 3. Qualys SSL Labs Now comes the turn of manual testing  Though automated scan provides comprehensive coverage, yet manual testing is a must to identify business logic flaws and newly discovered attack vectors.  To perform manual assessment we require an application level proxy. For this we have multiple options such as Burp Suite, OWASP ZAP, IronWasp, Charles etc.  As these are application proxy, they run a listener on the local system. For example Burp Suite listens on port 8080 by default. So now we can use FoxyProxy addon to create profiles for Burp Suite and ZAP for easy switching.  Once the tools are running and the proxy is configured in the browser we can open the application in the browser and see the raw request-response in the tool.
  6. 6.  Now as the URL is listed in the target section (Burp Suite/ZAP) we can go ahead and spider them, run scans on them and perform various manual tests to identify vulnerabilities and also validate the issues discovered in automated scan. The information gathered initially can be very helpful here. Figure 4. Burp Suite configured in browser Once the testing is complete we come to the last but important part, reporting.  The report is what is produced as the end result. Clients only see the result and not the efforts so the report needs to reflect what all issues have been identified clearly.  The report should contain details such as the description of the vulnerability, technical details, steps to reproduce, Proof of Concept and specially Mitigation. Things to keep in mind while performing a web application pentest:  Perform test cases which might block access, in the end (e.g. login brute force).  When performing an automated scan check number of threads to avoid DOS like situation.  Inform the client at once if a critical vulnerability is identified. Some Common Web Application vulnerabilities:  Cross Site Scripting (XSS)  SQL Injection  Cross Site Request Forgery (CSRF)  Business Logic Issues (E.g. Price tampering, Multiple Coupon usage, Negative balance transfer etc.)
  7. 7. Resources:  Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page  OWASP Testing Guide v4 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf  Web Application Security Consortium http://www.webappsec.org/  SecDocs http://www.secdocs.org/  Wordpress Vulnerability Database https://wpvulndb.com/
  8. 8. About Octogence Tech Solutions Octogence is an Information Security service provider which focuses on business centric security assessment. Our aim is to help organizations to be more secure in the cyber space so that they stop worrying about data breaches and can focus on their business. Our highly qualified, experienced and motivated team aims at providing our clients the service and quality they expect. We have the expertise as well as the flexibility to provide customized solution depending upon the client requirements. Our Services:  Web Application Pentesting  Mobile Application Pentesting  Network Pentesting Some companies in which our team has previously discovered vulnerabilities: Some products we have helped to be more secure: For any information and support contact:  Chandan Agarwal Sales Executive +91-9971773414 chandan@octogence.com  Sudhanshu Chauhan Principal Consultant +91-9971658929 sudhanshu@octogence.com *Each logo is the trademark property of its respective owner(s). They appear only for representative and illustrative purposes and do not reflect affiliation.