| description | cover | coverY |
|---|---|---|
Love/Hate relationship with web pages |
375 |
- Visual Inspection/"mess around" with web application -- Take note of what the normal/expected behavior is. What seems off or broken? What is the web server's native programming language? Check robots.txt.
- Dirsearch -- Wordlist variety (default and medium wordlist), specify proxy (if needed), use correct port and path
- Nikto -- Vulnerability scan/easy win?
- Wappalyzer -- What versions are running? Google and Searchsploit them all.
- Source Code -- Is there anything within the source code? Easy wins via usernames, emails, domains, secret comments?
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
Username:
' or 1=1-- -
Password:
' or 1=1-- -
As a pentester, you need to gather information about the web application.
While testing a web app, you should be constantly asking yourself these questions:
- What is the purpose of the application?
- What language is the web application written in?
- What version is the web application running?
- How is the web application being hosted?
- Does the web application connect to a db? If yes, what is the software that the db is using and what is the version?
Once you have identified the components of the web application, this will allow you to proceed to the next phase by enumerating the components/issues you identified instead of blindly running an exploit against the web app.
- Enumeration is crucial for reviewing all possible attack vectors that could compromise the web application
Reviewing URLs:
- File extensions
- Routes
- Hidden web directories (robots.txt or sitemap.xml
- Non-standard ports
Reviewing the content of the web page:
- Always review the source code of the web page
- Inspect every element to see how the web app works
- Review the request and response headers to understand how the web application behaves wehn you make certain actions to it
- Check for admin consoles (Wordpress applications will have a directory /admin that can be used to access the Wordpress admin console)
{% embed url="https://www.youtube.com/playlist?list=PLqG-wtrX3aA_wYTrnDHoCBkKBoI4z9oLd" %} Secure Ideas {% endembed %}
{% embed url="https://www.bugcrowd.com/resource/introduction-to-burp-suite/" %} Jason Haddix Webinar {% endembed %}
A web server scanner that performs tests against the web server for multiple items. This tool is not only used to scan for vulnerabilities on the web application, but checks for server configuration that includes multiple index files, HTTP server options, and will attempt to identify the version installed.
- Very noisy
A tool that is designed for testing, debugging, and interacting with API's and HTTP servers. The HTTP and HTTPs commands allow for creating and sending arbitrary HTTP requests.
When an administrative login panel is left exposed, it can make it significantly easier for hackers to compromise that site. However, this is dependent on the security configurations and permissions that the developer/application have implemented.
As pentesters, we can execute techniques such as:
- Bruteforcing
- Signing in with compromised credentials/obtained credentials
- Exploiting an unpatched and vulnerable system
{% embed url="https://www.exploit-db.com/search?q=Authentication+Bypass" %} Examples of authentication bypass {% endembed %}
- CASAP Automated Enrollment System: https://www.exploit-db.com/exploits/49463
- Alumni Management System 1.0 https://www.exploit-db.com/exploits/48883
- Online Hotel Reservation System 1.0 https://www.exploit-db.com/exploits/49420
Vulnerability-Specific:
- OWASP cross-site scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- OWASP Directory Traversal Vulnerabilities: https://owasp.org/www-community/attacks/Path_Traversal
- SQL Injections: OWASP: https://www.owasp.org/index.php/SQL_Injection
- Pentest Monkey SQL Cheat Sheets: http://pentestmonkey.net/category/cheat-sheet/sql-injection
- File Inclusion Vulnerabilities (Metaploit Unleashed): https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
- OSWAP Testing for LFI: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
Hands on areas to improve your web attack skills:
- Metasploitable 2
{% embed url="https://metasploit.help.rapid7.com/docs/metasploitable-2" %}
Guide:
https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
Also do TCM's web security course again!
Overthewire:
http://overthewire.org/wargames/natas/
\