Web Application Pentesting
I am going to show you how to do web application Pentesting in real-world. What are things you need to add in your report and will discuss OWASP testing guide V4. We will try to follow the OWASP testing guide to create our report and testing.
For this purpose, I will use the OWASP juice shop to test and will try to give some hints for some vulnerabilities, You can find in real-world but not available in OWASP juice shop. It will be a long series I will try to complete it in 3-4 articles. Again some vulnerabilities will depend on the application you will test how a particular application behaves.
For some vulnerabilities, I will try to give you tips or step to finds because they are not available in the juice shop. If you want to follow along you can download the Owasp Juice shop in your Linux or Windows system.
- Owasp Testing Guide V4
- Juice Shop
- Cross-Site Scripting
- Free Web security
- Basic Burp Suite
- GitHub Footprinting
Make sure you check out the Resources to understand the vulnerabilities we will find, as we are not going in details about the particular vulnerabilities we will just look at the methodology to find in your pen-testing.
1. Web Application Footprinting
Information From Free Sources
In pen-testing it’s important to find some valuable information about the target application for 2 main reasons. It will help us for future attacks and seconds if it’s sensitive we can add it as a low or medium finding depending on the info we have.
For footprinting, we can find information from google or any other free sources like GitHub & if the information is sensitive and shouldn’t be available publicly we can add them in our report. check out the resource for Github recon.
Check for the HTML source page for the web page. Try to find any information like any framework, versions or comments. Again if we find any information which should not be there then we can add them to our report.
Now, this is the most common one you can find in applications. If the web application displays the server information like server name, version, Language framework etc from Response headers then we have to add it as a low finding. To find this the most common way is through the browser itself weather you are using chrome or firefox doesn’t matter. for example in chrome.
Open the website in chrome —> right click —-> select inspect —> select Network tab—-> Refresh the page.
Scroll up to click on the first request Now you can see the response headers. If the application shows information like PHP, apache iis or anything then take the screenshot as a POC.
If the web application show version also likes apache 2.0 or PHP 5 then you can add this in your report as an outdated version and use the same screenshot as a POC.
You can also use Curl to get the Response headers but it’s not a good way to add in our report for POC. it’s recommended to add browser or proxy (burp-suite) screenshot for server fingerprinting and outdated version.
$ curl -I https://example.com
DNS & IP Information
Now we need to find the DNS information for the target domain, but first, let’s find out the IP address of our target domain. We can do it by normal ping command but it doesn’t make any sense in our case so we will do a whois lookup for IP with other information.
Simply go to the google and search whois lookup, I personally use this website. Enter the target domain and analyse the result like Domain registrant. To see if it’s hosted on a third-party or self-hosted server. Check the name server and IP address.
Now let’s find out the DNS information through NSlookup which is available for all the OS you may be using.
$ nslookup -querytype=ANY google.com $ nslookup -type=PTR IP-address $ nslookup -type=MX google.com
Another way to find DNS information is through google, Search DNS lookup and select any website. Now let’s take a look at LINUX tools.
$ dnsenum google.com $ dig google.com ANY $ dig -x IP $
host -t axfrgoogle.com $
For those who don’t know axfr or DNS zone transfer, I will suggest learning DNS. For basic DNS zone transfer allow us to create a copy of primary DNS with the help of axfr, but there is no authentication so it will allow anyone to create a copy, if you do so then you can get details of the host and other DNS.
Now we will look at HTML source code to find out some information like comments or any sensitive information if you find anything sensitive you can add it to your report. as sensitive information exposure.
Cookie fingerprinting allow us to find the server information. many framework or application comes with the cookie option, with a default name. like in PHP based application cookie name is phpsessid which tell us that PHP is being used at the server-side. we can add this in our report but don’t include it now. We will cove all cookie-related issues later in this blog or series. but for now, it’s good for us as a piece of information.
The subdomain is also an important factor during the web application pentesting. Most of the time during the pentest you will have only one domain or subdomain and other domain will not be in your scope at that you don’t need to go for the subdomain. If you have a subdomain in your scope then it’s important to find all the subdomain. Let’s look at some Linux tools and google search to find subdomains.
$ git clone https://github.com/aboul3la/Sublist3r $ cd Sublist3r $
sudo pip install -r requirements.txt$
python sublist3r.py -d example.com
$ apt-get install golang $ wget https://github.com/projectdiscovery/subfinder/releases/download/v2.3.2/subfinder-linux-amd64.tar $ tar -xzvf subfinder-linux-amd64.tar $ mv subfinder-linux-amd64 /usr/bin/subfinder $ subfinder -d google.com
These two are the most popular tool for subdomain enumeration, but remember if any subdomain is not in your scope then don’t touch it. You can even use google dork to find subdomain like this.
site:.google.com site:google.com -site:www.google.com
Now we have done our footprinting, remember two things.
Footprinting is not limited, whatever we have done is a common way. Sometimes you might need to go for other sources and other tools. The more you do footprinting it will be easy for you to find vulnerabilities. You can check Nahamsec twitch live steam for more recon. information.
Always save all the details you gather. It will be helpful for you when you go deeper and create a report. You can save all output like subdomain, DNS-Info, whois, IP or Server-Info into a file or mind mapping software.
Now in the next blog, we will use burp suite for testing with two footprinting options that I don’t want to talk now. because we will directly connect with the web application to find those part. But for now, it’s good enough. I hope you get an idea of the Web application Pentesting.