So till now in Web application Testing, we have looked footprinting step. Now we will use the burp suite and try to do some information gathering about the working of the application. This is the most important part of web testing. You should understand how it application works. But before that let use one tool which I didn’t show in the last article.
- Owasp Testing Guide V4
- Juice Shop
- Cross-Site Scripting
- Free Web security
- Basic Burp Suite
- GitHub Footprinting
- Web Application Pentesting TestingPart 1
- HTTP Methods
- WordPress Pentesting
- Owasp Security misconfiguration (Default username)
- Owasp Broken Authentication ( username Enumeration)
We have already covered the server fingerprinting but that was from report point of view from checking the HTTP response headers and if it’s there we have to add it in our report. But what if there is nothing in the HTTP response headers. We won’t have to add it in our report but for us, as a tester, we need some information about the application to test not for report point of view.
To find the server related information we will use the most popular tool Whatweb. It’s preinstalled in kali.
$ apt-get install whatweb $ whatweb --help $ whatweb google.com -v
Burp Suite For Web Application Testing
Now We need to find out all the URL in the target website so we can go through and check all possible things we can do. if you don’t know about basic burp suite check out resource links above. To crawl the website make sure burp suite is working and configured with your browser.
Go to the target website through your browser which is configured with burp suite make sure intercept is off. Try to visit some pages through the browser. Now go back to the target tab in your burp suite and check. Now right click on the target website in the target tab and select add to the scope.
Right-click on the filter and select show only in the scope this will filter out and will show you only the target you have added in your scope and not another website.
Note: Burp free won’t let you do soo many kinds of stuff for example for crawling it won’t let you configure the options and will miss soo many web pages. It’s recommended to use burp suite pro. It worth it for the web application testing, I won’t recommend but if you can’t purchase them there are crack available.
I am using Burp suite pro, in case you using the free version you have to go to every URL with burp suite connected with your browser to create a sitemap in burp suite target tab.
While testing an application you should ask this question to yourself and try to find the answer from enumeration and footprinting. The questions I personally ask are:
- What is the application is about like if it’s an eCommerce, banking? and what are the features should be available for example in an eCommerce application there should be a payment option, cart etc.
- Does the application have any upload function?
- What are the parameters are there? How they work with user-supplied data.
- Is there any login page? How data is stored at the server-side?
- Does the application show any error message?
These are just some example. And the answer to all questions is just footprinting and enumeration. and for some questions burp suite crawler. I have my juice shop ready and already crawled by burp suite.
Directory Fuzzing In Web Application testing
Directory fuzzing is something like directory attack where we use common wordlist for common directory names present in the web application for ex: google.com/admin or google.com/backup.bak etc. The admin and backup file present but not available to find because there are not listed so burp suite crawler or even we manually can’t find it.
To find some common directory names we need a wordlist and a tool to send soo many requests with common names form wordlist. We can do it from the burp suite intruder tab. If you have read the basic burp blog you might know how to do that.
But we are not going to use burp suite for this purpose. We will use DirBuster. It’s a directory fuzzing tool from Owasp and preinstalled in Kali Linux. To start to type the following command in your kali terminal.
- Target URL
- Method GET is enough
- Threads mean the number of request as this is local we are using go faster.
- Fuzzing method list based means from a file contains common names and pure means brute force with every possible way from a-z 10-9 etc.
- the path for wordlist dirt buster comes with 4-5 directory list choose any.
Once we find some directories open them with the browser so our burp suite adds them in the sitemap.
Let’s Enumerate the application there are soo many ways to do that but for now, try to find the default credentials. Many times developers forget to change the password for the account they have created for testing purpose.
some common username/passwords are admin/admin, admin/test, test/test and admintest/admintest. if you find any of this as working credentials you can add it in your report as default credentials. In Owaps top 10, it’s at no.6 as Security Misconfiguration.
Now let’s find out whether the application reveals the username information If you have read the WordPress pen-testing blog. Let’s find out enter the correct username and wrong password and see how application response.
Now enter the wrong username and any random password and see how application response. If the application response incorrect username or invalid username for the wrong username. and in case of right username with wrong password application reply with an incorrect password for the username XYZ. If any response is there then we can say enumeration is possible.
The point is you can’t add enumeration in your report every time. Sometimes you should add and sometimes not. It depends on the application and the client and sometimes experiences matter here.
It’s not possible to read all the JS code but we should go through it. you can read it from inspect element option within our browser.
HTTP methods or verb are used for different purposes but some methods should not be available for anyone apart from the developers. Like most common Http method which is available are GET and POST. IF anything apart from this two is enable then it’s a problem. To test we need burp suite repeater tab.
Send any request to the burp suite repeater tab, for example, home page request. and change the request method to OPTIONS which will list all the allowed methods and even OPTION methods also should not be allowed because we can list the available method.
You can see in the picture above application accept soo many methods. We can add this in our report as low or medium depending on the allowed method for example put or delete are more dangerous then it should be in the medium.
But here we used OPTIONS to list all the methods in case if other methods are allowed but OPTIONS is not allowed in that case it won’t work. In that case, we have to try all the methods one by one. check out resource link above.
You can check OWASP Testing V4 Xls to ensure how we are going in our web application testing and almost following it.