Web Application Pentest Guide Part-I
In this article, we are going to pentest a web application which was developed by HP for scanner evaluation purpose. We will be demonstrating the complete process of a basic web application pentest from requirement collection to reporting. These are following steps we are going to follow:
- Requirement Collection
- Information Gathering
- URL Discovery
- Automated Scanner Configuration
- Manual Testing
- Reporting
Requirement Collection: This is the first step where we communicate with the application owner and ask them for the application URL once we get the URL then confirm whether it is live production environment or it is testing/staging environment. If the owner provides the production environment then first inform them take the backup for the database and also inform them there it is possible that during pentest the application might go down due to scanning. If testing/staging environment is provided, then it is okay to go ahead but still giving a heads up for downtime will be good. Discuss with the application development team for understanding the application functionality and ask them for how many types of user roles are there? If there are then ask them for test credential for all types of user roles for testing privilege escalation type of vulnerabilities. So, in our case, we are going to test the following application http://zero.webappsecurity.com with one credential.
FREE role-guided training plans
Information Gathering: Once we will receive the relevant details from the first step (requirement collection) then we can start pentesting the application. First, we will have to identify the application technology such as the language on which the application is developed i.e. PHP, Java, Asp.NET, etc. then check if the application is developed on any Framework such as CakePHP, CodeIgniter, Yii Framework, Django, etc. Now how to identify these technologies? There are some simple ways to identify the application technologies such as for the language and Framework identification we can check it from https://builtwith.com/ just copy paste the application URL and it will show the details.
As can be seen above we have scanned a web application, and it is showing the language is PHP and Framework is CodeIgniter. So, this technique not always works like in our case we were not able to find the application technology for http://zero.webappsecurity.com. Now we are going to explore the other ways for language identification:
- Check for the file extension such as .pup, .aspx, .jsp
- What if the application file does not have any extension? Look for the session and cookie values that reveal it all. Say for example the session is PHPSESSID that means it is PHP based site, JSESSIONID that means a java based site, ASP.netsessid that means ASP.Net based site. If the sessionid is new for you and you have never seen that kind of session value like the below shown image:
Say for example ci_session is the first time we saw and we are not able to identify the application technology, so we just search the same session id name on Google and let's see what it shows:
As can be seen above the session refers to CodeIgniter framework. No, we will see the example for our target.
As can be seen in cookie session is JSESSIONID which means it is Java based application URL although the file extension is showing HTML.
URL Discovery: It is the most important part of the pentest where we will browse the whole application by triggering every functionality of the application and capture all request in Burp Suite.
As can be seen in above image the application has Account Summary, Account Activity, Transfer Funds. Pay Bills, My Money Map and Online Statements module now go to each module and click on every link if there is any form then fill some data in the form fields and submit it. Now go to Burp Suite > sitemap section and we will be able to see all our browsed URLs are in the sitemap.
After that we will run a spider on the sitemap for auto crawl the application, if we have missed out any functionality during browsing, then it will be crawled by Burp Suite.
Once we are done with the application functionality browsing and crawling now, we will do Google search. This thing is requiring if the application is available on the internet otherwise skip this one. We will use Google dorks for finding cache URLs of the application by Google for this just type in site: zero.webappsecurity.com.
As can be seen above just from Google search we can see all our target applications files, and directory and some of them are sensitive in nature which should not have been exposed on the internet such as admin directory.
We just accessed the admin directory, and it reveals all username and passwords.
As we can understand the criticality of the issue by simple google search how a malicious user can compromise the application without running any tools.
Next will use brute force technique for finding internal files of the application for this we will DirBuster tool.
As can be seen above we have brute forced our target URL, and DirBuster has found some directory which we have not found from Google search and manual browsing. Now we will check all directories which have 200 Response for example admin we have already found from Google search, so we will look at other directories. We opened the /docs path, and we found that it contains Apache Tomcat documentation which is a default directory which comes with Tomcat during installation. So, we can report this one as an information level vulnerability from which an attacker can gather the information about running a web server with its version.
Next, we accessed the /errors directory which contains error log.
The log contains all failed login attempts may be some malicious user was trying to brute force the login page or some valid user forgot his/her account password so we can report this issue as an informational vulnerability from where an attacker can scrap usernames.
We moved to another directory which was /web-services.
This directory contains the SOAP service URL which shouldn't be exposed and accessed publicly. An attacker can access the WSDL file and can invoke request to the application.
What should you learn next?
In next part of the article, we will discuss the scanning, manual testing, and reporting part.