After the previous post, we do know how to use network scanners and use Peeping Tom to take the screenshot of all HTTP(s) services. Now, we focus on web application scanners. In this part, there are many tool that has working on it. For example: Acunetix, ZAP, WebScarab, Nikto, w3af,… , they are also a free or paid tool. For me, I usually use Burf Suite for this test. Although it is a paid tool ( $300 ) but I think it costs 10 times the price. Because it is maintained regularly and many extensions are available for Burp.
In this post, I will use Burp Pro to scan web applications in a network penetration test. Actually, I don’t have much time to do a full web test, but here are the steps I did with almost all of them.
– Spider/Discovery/Scanning with Burp Pro
– Scanning with a web application scanner
– Manual parameter injection
– Session token analysis
After running Nessus or Nexpose to find the usual system/application/service flaw, we can look deeper into it via Burp. You could find out how to use this tool from here, but I will give you another view.
1. First, we need config our network proxy. Because Burp help us to view all of the request details and give you modify the raw requests regardless of client side protections.
After you start this tool, make sure your proxy is enable and listening on port 8080. Go to Proxy tab –> Options, check if it is already running.
– Image Burp Proxy –> Options
Besides, you can change proxy easily with Foxy Proxy for Firefox. It is an easy way to deal with multiple proxies. You have just told your browser to send the traffic to your local host ( port 8080 ).
For example, I go to the website: http://testphp.vulnweb.com/
After that, you go to see the Proxy/Intercept tab. Burp has captured our GET request to that website.
– Image Burp Capture and Intercept Traffic
We can see cookies and other request information. Intercept means to stop any requests
from the browser to the web application, give you full ability to read or modify that request, and either
forward that request to the web application or drop that request. If you go to your browser, you see no responses until you turn off Intercept feature. After this feature is off, we can see all the requests and responses in the History Tab.
Go to the Target Tab, we can see our URL here. We add our site to Scope. This feature means automated spider and testing, helps you to not actively scan domains that are out of the scope. We should add all URLs or FQDNs you want to your scope.
2. After config Burp, we need to Spider the host. This means that Burp will crawl through the whole website and record all the different files, forms, and HTTP methods on that site.
– Image Burp Spider
When this process is completed, we have a general view about this site. We can click on any file, and find out what is the request and response about it. If you add many sites to this tool, look at the Site Map tab and choose Filter. You will only see what related to that site.
– Image Burp SiteMap and Request
3. Many times we saw pages or folders are not directly linked the website ( url ) that we need to pentest. Because host administrators want to hide these folders from us. We have a module in Burp that could help us in this situation. We go to Site Map tab, right click on Url, choose “Engagement tools” and then “Discover content”
– Image Burp Discover Content
When we inside this module, we click on “Session is not running” button and the application will begin “smart brute forcing” folder and file structures.
This will detect hidden folders, admin pages, configuration pages and other missing pages. 😀
4. After you find enough information about that site ( it’s up to your knowledge ), you could start “Actively scan this host”. And then Burp start to fuzz input parameters. If you do it in real life, you need to be careful because it will trigger the IDS on victim system. For example, if the website has a comment box, it will receive many emails from all the parameters being actively fuzzed.
– Image Burp Active Scan
And when we look at the results, we can see some vulnerabilities for this website.
Your job is verify that is false positive or not. 😀
In conclusion, web application scanning is the important step for a successful pentest. It gives us the information about some possible vulnerabilities. Base on this result, I will show you what we gonna do with this information in the next post.