Web Application Penetration Testing

Introduction to Web Application Penetration Testing

Web application penetration testing is the process of attacking a web application to uncover security vulnerabilities, misconfigurations, and weaknesses that could be exploited by malicious actors. This type of testing plays a vital role in ensuring that applications are robust against threats like SQL injection, cross-site scripting (XSS), insecure authentication, and session management flaws. In this guide, we'll explore the tools and techniques used to assess web applications, including scanning for common vulnerabilities with tools like OWASP ZAP and Burp Suite, exploiting discovered weaknesses, and testing for logic flaws that automated tools may miss. We will also cover techniques for intercepting and analyzing web traffic, evaluating input validation, and testing the security of application components like APIs. The goal is to ethically discover and document vulnerabilities, following a responsible disclosure process to ensure that they are addressed before they can be exploited in the wild, improving the overall security posture of the application.

Video Credit: Loi Liang Yang- Website Hacking

Reconnaissance and Information Gathering

Reconnaissance is the first step of web application penetration testing, where you gather as much information as possible about the target web application.

Using Nmap to Scan a Website

Nmap can be used to scan websites and gather information such as open ports and services running on the server. The following command can be used to scan a target website:

nmap -sV -p- -A example.com

Explanation:

This command helps in identifying which services are running and which versions are being used, which is crucial for detecting vulnerabilities.

Finding Domains and Subdomains

Finding subdomains is important because they can reveal hidden parts of an application that may be less secure. The following tools are commonly used for subdomain enumeration:

Using Sublist3r to find subdomains:

python sublist3r.py -d example.com

Example output:

[+] Enumerating subdomains for example.com
www.example.com
mail.example.com
admin.example.com
api.example.com

Directory Enumeration with Gobuster

Directory enumeration helps to discover hidden files and directories that may contain sensitive information or be vulnerable to attacks. Gobuster is a popular tool for performing directory enumeration on a target website.

Using Gobuster for Directory Enumeration

To use Gobuster with a wordlist to find directories on a target website, use the following command:

gobuster dir -u http://example.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

Explanation:

Gobuster will attempt to find hidden directories and files on the target site using the specified wordlist. This can help reveal areas of the web application that may be vulnerable.

Identifying Vulnerabilities

Scanning with Nikto

Nikto is a web server scanner that identifies vulnerabilities, outdated software, and configuration issues. It can be a crucial tool for penetration testers and security professionals looking to find weaknesses in web servers and applications. Nikto scans for over 6,700 potentially dangerous files, outdated server versions, and configuration issues that could lead to vulnerabilities. It also checks for common files like admin panels and default login pages, which could be exploited if left unprotected.

nikto -h http://example.com

Example output:

        - Nikto v2.1.6
        -----------------------------------------------------------------------
        + Target IP:       192.168.1.10
        + Target Hostname: example.com
        + Target Port:     80
        -----------------------------------------------------------------------
        + Server: Apache/2.4.41 (Ubuntu)
        + The X-Frame-Options header is not present, vulnerability detected.
        + Outdated software detected: Apache/2.4.41
        + Entry '/admin/' is password protected, brute force possible.
        -----------------------------------------------------------------------

Steps to Take if a Vulnerability is Found

If vulnerabilities are found during a Nikto scan, it's important to address them as soon as possible to mitigate the risk of attack. Here are the steps you should take:

Exploiting Vulnerabilities Found During Scans

After performing a scan with tools like Nmap, Nikto, or Nessus, vulnerabilities may be uncovered in software versions, misconfigurations, or exposed services. The next step is to understand how these vulnerabilities can be exploited to gain unauthorized access or compromise the system.