Saturday, January 18, 2014

Web App Pentest - Part 1 Introduction

In this series of articles, I am going to demonstrate how you can manually exploit the vulnerability of a web application, compared to using any automation tool, in order to find vulnerabilities in the application. Almost all companies worldwide focus on manual testing of web application rather than running web application scanners, which limit your knowledge and skills and the scope of finding a vulnerability with your testing.
For the whole series I am going to use these programs:

  1. NOWASP Mutiliadae
  2. BURP Proxy
NOWASP Mutiliadae
NOWASP Mutiliadae is a purposely vulnerable web application containing more than 40 vulnerabilities. It includes all of the OWASP top 10 vulnerabilities along with vulnerabilities from other organizations’ lists. There are other small and mid-level range vulnerabilities that are scanned by different web application scanners, such as Vega, Acunetix, Nikto, w3af, etc. I am going to use the latest version of this project, which has an object-oriented design to provide better understanding of all vulnerabilities of the web application.

Burp Suite
Another tool that I am going to use is burp proxy. This is interception proxy tool which interacts between client(browser application eg. Firefox, chrome) and the website or server. It will be running on my local machine and it will intercept inbound and outbound traffic between your browser and the target host(in our case target host is NOWASP mutiliade). Major use of this tool is when you make request to access the server, burp suite intercepts that request which is going from your machine to the server/website and you can change the request according to your need. Also it revels the type of the request whether it is GET or POST request or another. Burp has also an ability to show you the list of parameters which are used by website in order to pass your request to from you to server. You can manipulate the request in the way you want in order to check the security of that particular web application. To intercept request your burp proxy listener must be configured on local host and port 8080. Then you also set this proxy configuration in your web browser. After doing so, go to burp suite => proxy tab => Intercept is on (Make sure this button is pressed/should be on). I will not go deep into the all tabs and what are their functionality. You can see burp manual or documentation for that.

Working flow of Web

Before we go ahead, it’s good to understand how web works in backend which you cannot see on your web browser. When you visit any website your browser asks for any file from the webserver which can be html,php,js(javascript),css, aspx etc.. Using burp suite we can observe that request as shown below. To see the request I configured burp and my browser as mentioned above and then I am visiting HTML5 storage page shown in below picture.

As soon as I click on the link, burp will intercept this below request which you are making. You can see here it is requesting an index.php page from the server. Not only this burp will also show you the parameter which is required for passing to load whole page. Here that parameter is page and the value of that parameter is html5-storage.php.

GET /chintan/index.php?page=html5-storage.php HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://local host/chintan/
Cookie: showhints=0; username=chintan; uid=19; PHPSESSID=j53u16lcdkjq0eec6nfijphkd4
Connection: keep-alive

As I need to access this page so I will forward this request and in below section if you see response tab then I will get below response 200 OK.

HTTP/1.1 200 OK
Date: Sat, 28 Dec 2013 23:30:08 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Logged-In-User: chintan
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 46178

200 OK shows that my request has been successfully processed and I am given back the response. Then if I will see my web browser My full web page would have been loaded there.

Remember: HTML file is dynamically created each time when you make request. PHP file in the backend will see at your request and will create a html file to send you on your browser in order to render the page. Whatever you see on your web browser is not a web page. That is your browser’s interpretation that how your web page should look like graphically. 

Always make a good practice to see the webpage from source code and get yourself familiar with that but now with the one that you see graphically on your web browser. Get yourself familiar with javascript, xml and all html tags if possible.”

Where to start?
This is the common problem of all beginners that from where to start actual testing what to do first. As we all know the ethical hacking life cycle. First phase is information gathering or reconnaissance. In our case I will get information about the website and server as much as I can without actually going and surfing each webpage. If you have noticed then from above request and response we have already came to know about something in it. That information is as follows.
Server – Apache
Apache Version – 2.4.3
Server Side Coding – PHP
PHP version – 5.4.7
HTTPs Protocol – SSL Used
SSL Version – 1.0.1c

There are plenty of ways for information gathering. However people mostly follow Google, recon-ng framework and other application security testing tools which have crawling option. I will list all the pages and folder of my target using spider option in burp suite. To do that add go to history and check the 1st page you visited. Right click on that and select the option add to scope.

Now if you go to target tab you will see your scope of testing website which is local host in my case as shown below. 

“It will also list the all other websites which are being visited without you knowing. Let us consider any live website there will be like, share button or some kind of advertisement so it will also get listed here. To remove items which is not in our scope,click on the filter bar and set your all option shown as below figure then click anywhere on blank page and changes will be applied.”

After that as I mentioned I need to spider this host so I will right click on local host and selection spider this host option. If your target application is having form submission then you will get a popup to fill and submit the form values.

After clicking on that spidering of your target host will be started. If you go to the spider tab you will see something like below picture.

“Note that if request queue becomes and remains 0 for more than enough time, it means spidering of that web application is finished. “

Then you can go ahead and check again target option you will see the list of all pages which is having by that web application. Some new pages might have added.
Proxy Setting
There is no any particular settings or configuration. I personally set these configurations as showing in figure. 

The reason I am using these settings because (1) our target host might link to ton of other websites via share buttons, advertisements etc.. So I want to intercept all the communication between myself and my target host only not another website. That is why I tick that checkbox which shows only intercept the request which is in target scope. (2) Not only request I also want to intercept each response which is processed by server against my all response so that I can come to know if my request is processed properly or have I been redirected to somewhere etc.. So I tick that option and make it on which shows intercept all the responses.


No comments: