In this series of articles, I am going to demonstrate how you
can manually exploit the vulnerability of a web application, compared to
using any automation tool, in order to find vulnerabilities in the
application. Almost all companies worldwide focus on manual testing of
web application rather than running web application scanners, which
limit your knowledge and skills and the scope of finding a vulnerability
with your testing.
For the whole series I am going to use these programs:
-
NOWASP Mutiliadae
-
BURP Proxy
NOWASP Mutiliadae
NOWASP Mutiliadae is a purposely vulnerable web application
containing more than 40 vulnerabilities. It includes all of the OWASP
top 10 vulnerabilities along with vulnerabilities from other
organizations’ lists. There are other small and mid-level range
vulnerabilities that are scanned by different web application scanners,
such as Vega, Acunetix, Nikto, w3af, etc. I am going to use the latest
version of this project, which has an object-oriented design to provide
better understanding of all vulnerabilities of the web application.
Burp Suite
Another
tool that I am going to use is burp proxy. This is interception proxy tool
which interacts between client(browser application eg. Firefox, chrome) and the
website or server. It will be running on my local machine and it will intercept
inbound and outbound traffic between your browser and the target host(in our
case target host is NOWASP mutiliade). Major use of this tool is when you make
request to access the server, burp suite intercepts that request which is going
from your machine to the server/website and you can change the request
according to your need. Also it revels the type of the request whether it is
GET or POST request or another. Burp has also an ability to show you the list
of parameters which are used by website in order to pass your request to from
you to server. You can manipulate the request in the way you want in order to
check the security of that particular web application. To intercept request
your burp proxy listener must be configured on 127.0.0.1 local host and port
8080. Then you also set this proxy configuration in your web browser. After
doing so, go to burp suite => proxy tab => Intercept is on (Make sure
this button is pressed/should be on). I will not go deep into the all tabs and
what are their functionality. You can see burp manual or documentation for
that.
Working flow of Web
Before we go ahead, it’s good to
understand how web works in backend which you cannot see on your web browser.
When you visit any website your browser asks for any file from the webserver
which can be html,php,js(javascript),css, aspx etc.. Using burp suite we can
observe that request as shown below. To see the request I configured burp and
my browser as mentioned above and then I am visiting HTML5 storage page shown
in below picture.
As soon as I click on the link, burp will intercept this below request
which you are making. You can see here it is requesting an index.php page from the server. Not only this burp will also show
you the parameter which is required for passing to load whole page. Here that
parameter is page and the value of
that parameter is html5-storage.php.
GET /chintan/index.php?page=html5-storage.php
HTTP/1.1
Host: local host
User-Agent: Mozilla/5.0 (Windows NT 5.1;
rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://local host/chintan/
Cookie: showhints=0; username=chintan; uid=19;
PHPSESSID=j53u16lcdkjq0eec6nfijphkd4
Connection: keep-alive
As I need to access this page so I
will forward this request and in below section if you see response tab then I
will get below response 200 OK.
HTTP/1.1 200 OK
Date: Sat, 28 Dec 2013 23:30:08 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c
PHP/5.4.7
X-Powered-By: PHP/5.4.7
Logged-In-User: chintan
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 46178
200 OK shows that my request has
been successfully processed and I am given back the response. Then if I will
see my web browser My full web page would have been loaded there.
Remember: HTML file is dynamically created each time when you
make request. PHP file in the backend will see at your request and will create
a html file to send you on your browser in order to render the page. Whatever
you see on your web browser is not a web page. That is your browser’s
interpretation that how your web page should look like graphically.
“Always make a good practice to see the webpage from
source code and get yourself familiar with that but now with the one that you
see graphically on your web browser. Get yourself familiar with javascript, xml
and all html tags if possible.”
Where to start?
This is the common problem of all beginners
that from where to start actual testing what to do first. As we all know the
ethical hacking life cycle. First phase is information gathering or reconnaissance.
In our case I will get information about the website and server as much as I
can without actually going and surfing each webpage. If you have noticed then
from above request and response we have already came to know about something in
it. That information is as follows.
No.
|
Information
|
1.
|
Server – Apache
|
2.
|
Apache Version – 2.4.3
|
3.
|
Server Side Coding – PHP
|
4.
|
PHP version – 5.4.7
|
6.
|
HTTPs Protocol – SSL Used
|
7.
|
SSL Version – 1.0.1c
|
There
are plenty of ways for information gathering. However people mostly follow Google,
recon-ng framework and other application security testing tools which have
crawling option. I will list all the pages and folder of my target using spider
option in burp suite. To do that add go to history and check the 1st
page you visited. Right click on that and select the option add to scope.
Now if you go to target tab you
will see your scope of testing website which is local host in my case as shown
below.
“It will also list
the all other websites which are being visited without you knowing. Let us
consider any live website there will be like, share button or some kind of
advertisement so it will also get listed here. To remove items which is not in
our scope,click on the filter bar and set your all option shown as below figure
then click anywhere on blank page and changes will be applied.”
After that as I mentioned I need to
spider this host so I will right click on local host and selection spider this host option. If your target
application is having form submission then you will get a popup to fill and
submit the form values.
After clicking on that spidering of
your target host will be started. If you go to the spider tab you will see
something like below picture.
“Note that if
request queue becomes and remains 0 for more than enough time, it means
spidering of that web application is finished. “
Then you can go ahead and check again target option you will
see the list of all pages which is having by that web application. Some new
pages might have added.
Proxy Setting
There is no any particular settings
or configuration. I personally set these configurations as showing in figure.
The reason I am using these
settings because (1) our target host might link to ton of other websites via
share buttons, advertisements etc.. So I want to intercept all the
communication between myself and my target host only not another website. That
is why I tick that checkbox which shows only intercept the request which is in
target scope. (2) Not only request I also want to intercept each response which
is processed by server against my all response so that I can come to know if my
request is processed properly or have I been redirected to somewhere etc.. So I
tick that option and make it on which shows intercept all the responses.
References
No comments:
Post a Comment