SANS Penetration Testing

Web App Tips, Tricks and Resources

[Editor's Note: Here is the fifth in our series of penetrating testing tips drawn from the Ultimate SANS Pen Test Poster. This time, our focus is on specific recommendations from Kevin Johnson about web app pen test tips, tools, resources, and other recommendations. Really helpful stuff. Thanks, Kevin!

For earlier posts in this series, feel free to check out:
John Strand's tips for network pen testing.
Steve Sims' tips for exploit development.
Josh Wright's tips for mobile device pen testing.
Larry Pesce's tips for wireless pen testing.

-Ed.]

By Kevin Johnson

Methodology Tips

  • Recon - During recon, the tester is looking to see what information has leaked onto the Internet about the application or organization being tested. This information can range from potential user names to source code from the application being posted to a help forum. It is imperative that this step of the methodology is not skipped. Some of the best information is found during this step.
  • Mapping - During the mapping phase, the pen testers actually use the application being tested, interacting with its various components. This phase provides them an understanding of the functionality and transactions available within the web application. This understanding allows them to focus in the next step on finding the flaws and vulnerabilities within the application. Use of the built-in tools of Burp and other proxies to automatically scan for the low-hanging fruit allow the tester to spend more time on the more difficult but critical flaws.
  • Exploitation - Exploitation comes in many forms depending on the vulnerability you have. In many cases, the goal is to retrieve data or gain full access to the systems. Using a tool like Laudanum to get a shell on a system and then add local users is a great window of opportunity. Don't forget Metasploit, as it is key in many exploitations. This step builds upon the previous two so that we are able to validate the flaws within the application. This helps the organization understand the risk the flaw exposes them too.
  • Post-Exploitation - Now we are able to pivot through the flaws exploited to gain even more information or access. Leveraging the flaw you found, such as XSS to take control of a victim browser to gain further access into the application or network using a tool like BeEF, the browser exploitation framework. This JavaScript based attack connects the victim browser to a ruby framework to deliver a variety of payloads.
  • Misc (reporting) - Contrary to popular belief, reporting is actually a huge part of a penetration test. It is one thing to be able to pwn the system, and another to be able to explain the security flaw and recommendations to the client. Lots of time is spent writing the final report so the information is actually useful.

Must-Have Tools

  • Burp Suite - Burp Suite is a web proxy that comes in both a free and commercial version. In addition to the proxy functionality, Burp also includes Repeater, Intruder, Decoder, Comparer, and scanning (commercial version only) tools built in. Repeater and Intruder are instrumental when it comes to web testing. This is the swiss army knife of web pen testing. By Dafydd Stuttard — http://www.portswigger.net
  • DirBuster - DirBuster is a tool designed to enumerate web directories and files. It works off of a set of pre-defined dictionaries or it can be used in fuzzer mode. By James Fisher - http://sourceforge.net/projects/dirbuster
  • Zed Attack Proxy - Zed Attack Proxy is an easy to use penetration testing tool used to identify flaws in web applications. It includes many different tools, such as a brute forcer, scanner, fuzzier, and decoder. By Simon Bennetts http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • SqlMap - SqlMap is an open source penetration testing tool to automate the process of detecting and exploiting SQL Injection vulnerabilities. Using simple commands, it is easy to quickly identify and then exploit SQL injections. By Bernardo Damele A. G. and Miroslav Stampar — http://sqlmap.org
  • Nikto - Nikto is an open source web server scanning tool that can identify web server versions, mis- configurations, and a large list of vulnerable files. By Chris Sullo - http://www.cirt.net/nikto2
  • SamuraiWTF - No need in spending time building a testing system when this one is built for you. By Kevin Johnson and Justin Searle — http://sourceforge.net/projects/samurai
  • FireFox Add-ins - The FireFox web browser is a must-have tool because there are so many great add-ins available. Add-ins like HackBar, User Agent Switcher, Web Developer, Tamper Data, and Firebug are all excellent tools when performing a web penetration test. That is just a small example of the add-ins that can be used. By Mozilla — http://www.mozilla.org/en-US/firefox/fx
  • Laudanum - Laudanum is a collection of web scripts that can be deployed to a vulnerable server to provide file browsing and shell functionality on the affected system. These scripts come in many languages, including ASP.Net, Java, and PHP. By Kevin Johnson, Tim Medin, and James Jardine http://sourceforge.net/projects/laudanum
  • BeEF - The Browser Exploitation Framework (BeEF) is an excellent tool while performing a web pen test. The framework makes it really easy to exploit the browser using identified cross-site scripting flaws. Once exploited, it may be possible to pivot from the outside to the inside of a network. http://beefproject.com

Great Resources for Staying Current

Associated SANS Courses

SEC542: Web App Penetration Testing and Ethical Hacking www.sans.org/sec542

SEC642: Advanced Web App Penetration Testing and Ethical Hacking www.sans.org/sec642

-Kevin Johnson

Post a Comment






Captcha


* Indicates a required field.