3.1-intro-to-web-app-pentesting.md

3.1 Intro to Web App Pentesting

⚡ Prerequisites

• Basic Network and Cybersecurity Concepts

📕 Learning Objectives

• Understand Web protocols
• Perform webapps enumeration
• Perform SQL injection, XSS and brute-force attacks

🔬 Training list - PentesterAcademy/INE Labssubscription required

• ​Web Application Basics​
• ​Web Apps Tools of Trade​

​

Web App Pentesting is a method of evaluating the security of a web application by simulating a cyberattack. The goal of such testing is to identify vulnerabilities and weaknesses within the application that malicious hackers could exploit. By conducting these tests, organizations can proactively strengthen their web applications' security and protect sensitive data.

Key aspects of web application penetration testing include:

1. Identifying Vulnerabilities: Penetration testers aim to discover security vulnerabilities, such as code flaws, misconfigurations, and design weaknesses that could be exploited by attackers. Common vulnerabilities include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure authentication methods.
2. Mimicking Real Attacks: Testers simulate real-world attack scenarios to determine how an attacker might compromise the application. This might involve attempting to gain unauthorized access, execute code, or extract sensitive data from the application.
3. Manual and Automated Testing: A combination of manual testing by skilled security professionals and automated tools is typically used. Manual testing allows for more comprehensive exploration, while automated tools can efficiently scan for common vulnerabilities.
4. Exploitation and Verification: If a vulnerability is identified, the tester may attempt to exploit it to demonstrate its real-world impact. This often involves attempting to escalate privileges or access sensitive data. The success of the exploitation helps confirm the vulnerability's severity.
5. Reporting: The results of the penetration test are documented in a comprehensive report, including the identified vulnerabilities, their severity, and recommendations for remediation. This report serves as a roadmap for addressing security issues.
6. Remediation: After vulnerabilities are identified, the development and security teams work together to address and fix the issues. This may involve patching code, changing configurations, or implementing new security measures.
7. Ongoing Testing: Web application penetration testing is not a one-time effort. Regular testing, especially after significant changes to the application, is crucial to maintaining a strong security posture.

The objectives of web application penetration testing are to:

• Uncover and fix security vulnerabilities before malicious attackers can exploit them.
• Ensure compliance with industry standards and regulations.
• Increase the overall security and trustworthiness of the web application.
• Safeguard sensitive data, user accounts, and user privacy.
• Minimize the risk of security breaches and data leaks.

Web and HTTP Protocol​

🔗📝 Some Web Applications Basics notes are already covered here (from the PTSv1 Course)

🗒️ HTTP (HyperText Transfer Protocol) is a protocol used for communication between web servers and clients, such as web browsers. HTTP key features are:

• Client-Server Architecture
• Stateless Protocol
• Request Methods
• Status Codes (200,404,500, etc)
• ​Headers (additional information about the request/response)
• Cookies (store info on the client-side)
• Encryption (HTTPS)

📌 RFC 9110 - HTTP Semantics​

​Request Methods​

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Commonly used HTTP requests are:GET - retrieve data from the serverHEAD - retrieve metadata about a resource from the serverPOST - submit data to the serverPUT - update an existing resource on the serverDELETE - delete a specified resourceCONNECT - establish a tunnel to the server identified by the target resourceOPTIONS - describe the communication options for a resourceTRACE - perform a message loop-back test along the path to the resourcePATCH - apply partial modifications to a resource

​Response Status Codes​

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. They are grouped in five classes:

• 100-199 - Informational responses
• 200-299 - Successful responses
• 300-399 - Redirection messages
• 400-499 - Client error responses
• 500-599 - Server error responses

​Cookies​

An HTTP cookie is a small piece of data that a server sends to a user's web browser. The web browser may store the cookie and send it back to the same server with later requests. Cookies are mainly used for these purposes:

• Session management
• Personalization
• Tracking

​HTTPS​

🗒️ HTTPS (HTTP Secure) is the encrypted version of HTTP that uses a combination of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol and HTTP protocol to provide secure communication.When a client connects to an HTTPS-enabled website, the server sends its SSL/TLS certificate to the client. The client verifies the certificate to ensure that it is issued by a trusted certificate authority and that it is valid. If the certificate is valid, the client and the server establish a secure connection using a unique session key.

🔬 There are many vulnerable testing web apps like:

• ​Juice Shop - Kali Install​
• ​DVWA - Kali Install​
• ​bWAPP​
• ​Mutillidae II​

📝 Check the HackerSploit's Web App Penetration Testing Tutorials​# bWAPP with Docker - by HackerSploitsudo docker pull hackersploit/bwapp-docker​sudo docker run -d -p 80:80 hackersploit/bwapp-docker# Open http://127.0.0.1/install.php​sudo docker container lssudo docker container stop <CONTAINER_NAME>sudo docker container start <CONTAINER_NAME>

nmap -sV -p 80,443,3306 demossl.ine.local

Scanning & Enumeration

Directory Enumeration - Gobuster​

​Gobuster - a tool used to brute-force URIs including directories and files as well as DNS subdomains.# Kali Linux Installsudo apt update && sudo apt install -y gobuster​# Go Installgo install github.com/OJ/gobuster/v3@latest

Directory Enumeration - BurpSuite​

​BurpSuite - an integrated platform for performing security testing of web applications.# Kali Linux Installsudo apt update && sudo apt install -y burpsuite

🔬 Check HTTP Web App Enumeration lab covering HTTP Method and Directory Enumeration Techniques

Scanning WebApp - ZAProxy​

​Zaproxy - OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.# Kali Linux Installsudo apt update && sudo apt install -y zaproxy

Scanning WebApp - Nikto​

​Nikto - a pluggable web server and CGI scanner written in Perl, using rfp’s LibWhisker to perform fast security or informational checks.# Kali Linux Installsudo apt update && sudo apt install -y nikto

🔬 Check HTTP Web App Scanning lab covering Web Apps scanning techniques

Attacks

​SQLMap - an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.# Kali Linux Installsudo apt update && sudo apt install -y sqlmap​XSSer (Cross-Site Scripter) - an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.# Kali Linux Installsudo apt update && sudo apt install -y xsser

SQLi

🗒️ SQL Injection attacks consist of insertion or “injection” of a SQL query via the input data from the client to the application, allowing an attacker to interfere with the database queries of the vulnerable web application.

• ​What is a SQLi? - PortSwigger​

XSS

🗒️ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites, allowing an attacker to compromise the interactions that users have with a vulnerable application.

• ​How does XSS Work? - PortSwigger​

🔬 Check Web App Attacks lab covering Web Apps Attacking techniques