Penetration testing is the most commonly used security testing technique for web application security services or website security services. Penetration tests usually perform a variety of attacks that could threaten an organization so authorized penetration testers can examine whether a website is secure or not with the right scope.
Phases of Pentest
- Information Gathering
- Scanning
- Gaining Access
- Maintaining Access
- Clearing Track
Information Gathering
This is the first step of pentest. Also known as footprinting in this phase we collect as much information as possible about the target whatever may its be network, host and those people who are involved
It can be happen two types
1. Active – Directly interact with target
In active information gathering we can perform port scanning to find out which port is open or not also we can perform scanning so easily find out which version and service is used by target. So we can exploit and gain access over the target.
2. Passive – Trying to collect information without directly accessing the target
In passive information gathering, collect the information about the target network without establishing a target. It requires an intermediate system for connection.
3. Scanning
In this phase the tester collects more information using complex techniques. In the scanning procedure we can identify the live host, port, architecture of the network and operating system. In this process discover vulnerabilities of target
Tools used for information gathering
- Automation
- Manual
Gaining Access
This is a phase tester trying to gain access over a website and web application after finding vulnerabilities and exploiting the vulnerabilities through XSS (Cross Site Scripting), SQL injection, Backdoor (Number of malicious activities).
Maintaining Access
After gaining access to a website and web pages tester could perform a sniffer to intercept the target through a secret communication channel. A backdoor is also used to establish the connection.
Clearing Tracks
This is the final phase of the pentest of web application and website. After successfully compromise the website and web application tester try to clear the tracks because to avoid being traced or caught so tester clear the logs and malicious track
Information Gathering
- During reconnaissance and information gathering for a website, there are several types of files that you can check to gather useful information. These files may contain valuable insights about the website’s structure, technologies used, or potential vulnerabilities. Here are some common file types to consider:
- robots.txt: Example: www.example.com/robots.txt
- sitemap.xml: Example: www.example.com/sitemap.xml
- .htaccess: Example: www.example.com/.htaccess
- README: Example: www.example.com/README
- CHANGELOG: Example: www.example.com/CHANGELOG
- crossdomain.xml: Example: www.example.com/crossdomain.xml
- config.php: Example: www.example.com/config.php
- database.ini: Example: www.example.com/database.ini
- .gitignore: Example: www.example.com/.gitignore
- error.log: Example: www.example.com/error.log
- backup files: Example: www.example.com/backup.zip
Virustotal
A web-based service called VirusTotal analyzes suspicious files and URLs in order to detect potential malware. With this platform, users can submit files or URLs for analysis using a variety of antivirus engines and security tools.
By examining the submitted files or URLs, VirusTotal generates detailed reports that indicate whether any antivirus engines or security tools have detected them as malicious. As a result, users are able to determine the potential threat level associated with a file or URL.
Host
This tool is used for find both ipv4 and ipv6 address of DNS
Raw_Hawk
During scanning, web crawling, and analysis of DNS records, it uncovers vulnerabilities and provides valuable information. It provides a wide range of options for assessing and enhancing web Application security.
Dig
Dig, also known as Domain Information Groper, is a command-line tool used for querying DNS (Domain Name System) servers and retrieving information about domain names, IP addresses, and DNS records.
This service provides detailed information about DNS infrastructure, including authoritative name servers, IP addresses associated with domains, MX records for email servers, and other information.
Whois
The Whois tool provides information about registered internet resources, such as domain names, IP addresses, and autonomous system numbers (AS).
By querying a central database, users can obtain information about the registered owner of a domain or IP block, contact information, and registration dates, among other details.
Theharvester
This tool provides an array of capabilities for gathering information about a target entity. Using various search engines, it extracts data related to subdomains, email addresses, employee names, and more. As part of a security assessment or penetration testing engagement, the tool is particularly useful for conducting footprinting and reconnaissance.
Also it supports DNS brute-forcing, which can aid to discovering additional subdomain and expanding the scope of information gathering.
Wafw00f
The Wafw00f tool is designed specifically to detect web application firewalls (WAFs) used to protect websites. Analyzes HTTP responses from a target website and compares them to signatures and patterns associated with various WAFs.
Analyzing the JavaScript file:
The purpose of analysis JavaScript files is to identify vulnerabilities, assess client-side security, and review the code for best practices and dependencies. As a result, potential risks can be discovered, security posture can be improved, and industry standards can be adhered to.
Various tools can be used to analyze JavaScript files for web application penetration testing.
1. Burp Suite:
2. OWASP Zap
3. Wayback Machine
4. Linkfinder:
Dorking:
Google Dorking and GitHub Dorking are advanced search techniques used to discover sensitive information or vulnerabilities using Google and GitHub search queries.
Google Dorking
Github Dorking
Examine the version of the software & plugins:
OWASP Zap is used for manually inspecting the version and plugins of a web application.
A popular tool is “Wappalyzer”, which is used to examine the software version and plugins of a web application for known vulnerabilities
The Wappalyzer browser extension detects the use of various technologies on a website, including content management systems (CMS), e-commerce platforms, JavaScript frameworks, analytics tools, and more. Wappalyzer is capable of identifying the software stack behind a web application by analyzing HTTP response headers, HTML markup, JavaScript code, and other indicators.
Whatweb
The WhatWeb tool is used to identify the technologies and frameworks utilized by a website. Using HTTP responses, HTML, headers, and other relevant information, it determines the underlying technologies that are powering the site.
A variety of web technologies can be detected by WhatWeb, such as content management systems (CMS), programming languages, web servers, JavaScript libraries, etc.
Enumeration
As part of a security assessment or penetration testing engagement, it is essential to conduct an enumeration phase to gather information. The purpose of this method is to gather information systematically about a target system, network, or web application in order to gain insights into its structure, components, and potential vulnerabilities.
For enumeration, several tools are used, including Dirb, Dirbuster, ffuf, Gobuster, and Wfuzz.
Dirb
DirBuster is a popular tool for brute-forcing directories and discovering hidden files and directories within web applications. As a part of its evaluation of a target web application, it tests different directory and file names in order to uncover possible points of access. DirBuster uses brute force techniques to identify directories and files that are not easily discoverable through normal navigation.
Gobuster
In web applications, Gobuster is a powerful tool for enumerating directories and files. By systematically scanning a target website, it reveals hidden directories, files, and other resources.
Through HTTP requests, Gobuster tries a variety of directory and file names, either from a predefined wordlist or a custom one provided by the user. An analysis of server responses is performed to determine if a directory or file exists, providing a list of paths discovered.
Dirbuster
DirBuster is a popular tool for brute-forcing directories and finding hidden files within web applications. To discover potential access points, it systematically tests different directory and file names within a target web application. DirBuster utilizes brute force techniques to identify directories and files that may not be readily accessible.
Here we see dirbuster find directories and files of targeted website
Subfinder
Subfinder is a powerful tool for discovering valid subdomains associated with a website. To gather information about subdomains, it utilizes passive data sources such as VirusTotal, Censys, Shodan, and Recon, among others. Subfinder identifies publicly available and associated subdomains by querying these sources.
Subbrute
The Subbrute tool is specifically designed for performing DNS scans in order to identify subdomains associated with a target website.
By generating a list of potential subdomain names and systematically querying DNS servers, it employs a brute-force approach. Subbrute identifies valid subdomains by trying to resolve them, so they can be further analyzed or used for reconnaissance.
Amass
With Amass, you are able to enumerate DNS records and brute-force directory entries.
A number of techniques are used to gather information about a target domain, including subdomain enumeration, reverse DNS queries, and scraping data from a variety of sources. A wide range of passive and active reconnaissance methods are employed by Amass for the purpose of discovering subdomains associated with a target domain.
Nmap
Nmap (Network Mapper) is a powerful and versatile tool for exploring networks and assessing their security.
As a result of its port scanning capabilities, users are able to discover open ports on a target system or network. It is possible to conduct various types of port scans using Nmap, including TCP SYN scans, UDP scans, and comprehensive TCP connect scans.
Nikto
Nikto is a popular open-source tool for scanning web servers and assessing their vulnerabilities. Typically, it is used to identify potential security vulnerabilities in web servers and web applications. Nikto scans a target server or website in order to identify vulnerabilities, including SQL injection, cross-site scripting (XSS), outdated software versions, and misconfigurations.
Wfuzz
A powerful tool for brute-forcing web applications, Wfuzz helps identify hidden content, files, and directories within a web server. Using dictionaries and wordlists, it tests combinations of input parameters, URLs, or file paths to uncover hidden resources or vulnerabilities..
Sqlmap
This is a tool used for executing sql query in a website also known as an attempt of sql command to a database through the website.
Using these tools, attackers are able to manipulate databases, extract sensitive data, or even execute unauthorized commands by exploiting security weaknesses in the way an application handles SQL queries.
Injection tools for SQL typically provide a user-friendly interface, a variety of attack techniques, as well as advanced features such as payload customization and data extraction
We can use this method to determine whether a website is vulnerable by adding a SQL query manual to it
In the example below, the tester successfully funded there is a bug of SQL injection, which means that if an attacker performs a SQL attack, the website and web application will be completely compressed.
Burp Suite
Most widely used tool for website or web application testing . This is the manual tool that pentester used for security testing, though we can add so many payloads , xss script , sql injection query at a single time and it automate detect vulnerabilities ,finding subdomains , hidden files directories through web crawling method also tester can modify the user request according to their requirement for testing .
Here I tried with host header injection. Meaning I gave a different domain name in the host header to try to modify the request in a tester website.
Due to cloud interfere blocks the request.
Here the website operates the request but at the moment the site can’t handle the request so page is showing temporarily currently unavailable.
OWASP 10 Common Vulnerabilities
XSS attack ( Cross Site Scripting )
This is a type of injection where malicious scripts are injected . Injection can be performed in login form, search option, document upload
Stored XSS:
Here tester added javascript code in parameters and it reflected in pop up mean code successfully worked Most XSS attack compromise complete account steal session cookie , take over the account .
Stored XSS:
Inserted a script in message field the script is stored in the server and give the resopnse as alert 1
HTML Injection
Injection of HTML, also known as client-side code injection or HTML code injection, occurs when untrusted input is not properly sanitized and displayed on a web page. By doing so, an attacker is able to inject malicious HTML or script code into a web application, which is then executed by the user’s browser.
Broken Authentication:
It is defined as a vulnerability when an authentication mechanism is flawed or improperly implemented, which allows unauthorized access to user accounts and sensitive data.
Usernames and passwords visible in source code of a login form indicate a serious security vulnerability known as “broken authentication.” This vulnerability may allow attackers to obtain login credentials and compromise user accounts.
Iframe:
The HTML iframe injection involves injecting a modified URL parameter to change the displayed content within the iframe. By altering the robots.txt URL, a different webpage, such as https://jaiguptanick.github.io/Blog/blog/Overpass_TryHackMe/, can be displayed within the iframe.
XML:
The XML code you provided is an example of an XML document containing an XML external entity (XXE) injection vulnerability. By exploiting the application’s XML parsing functionality, an attacker can disclose sensitive information or perform unauthorized actions.
This is the XML payloads is used to extract the root files and passwords.
<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE root [
<!ENTITY popped SYSTEM “file:///etc/passwd”>
]>
<reset><login>&popped;</login><secret>Any bugs?</secret></reset>
Remote and Local File Inclusion:
Remote File Inclusion (RFI) and Local File Inclusion (LFI) are security vulnerabilities that can occur in web applications. They involve the improper handling or inclusion of external files by the application, allowing an attacker to include and execute arbitrary files.
By modifying the web URL to include the payload “../../../../etc/passwd. The payload “../../../../etc/passwd” aims to access the “/etc/passwd” file on the server, which is a commonly targeted file on Unix-like systems that contains user account information.
IDOR:
IDOR stands for Insecure Direct Object Reference. An attacker may access or manipulate sensitive data by directly referencing internal object references, such as database records, file identifiers, or other resources, without proper authorization or access control, due to a security vulnerability in a web application.
In the given scenario, successfully exploited an IDOR vulnerability in a ticket booking system. Selected 10 tickets and used a tool like Burp Suite to intercept the request where the price per ticket was 15 EUR. Modified the intercepted request to change the ticket price to 0 EUR. By forwarding the modified request, you were able to successfully place the ticket order with a price of 0 EUR, taking advantage of the IDOR vulnerability.
Another scenario
In this case, the URL parameter admin seems to be related to session management. When you accessed the URL https://bwapp.hakhub.net/smgmt_admin_portal.php?admin=0, you received a “locked” page. However, when you changed the URL to https://bwapp.hakhub.net/smgmt_admin_portal.php?admin=1, the page was unlocked. This behavior suggests that the application is using the admin parameter to control access to the administrative portal.
Sensitive Data Exposure:
Sensitive data exposure refers to the vulnerability of exposing sensitive information, such as passwords, financial data, or personal information, either through insecure storage, transmission, or inadequate access controls.
When decoding the cookie, the secret and name are also obtained
SSRF:
A server-side request forgery vulnerability (SSRF) allows an attacker to make requests to other internal or external resources from the target server. By using this technique, it is possible to access sensitive information, perform port scanning, or exploit other vulnerable services.
Example:
Intercept the request and send it to the repeater.
Replace the stockApi URL with SSRF payload. Access the admin panel using SSRF payload “https://localhost/admin”
Here user deleted successfully.
CSRF:
Cross-Site Request Forgery (CSRF) is an attack where a malicious website trick you into unknowingly performing actions on another website that you are logged into. For example, the attacker can make you click a link or visit a page that performs a harmful action, like changing your password or making a purchase. Protecting against CSRF involves using security measures to verify the authenticity of requests and prevent unauthorized actions.
As you see in the message field need to fill with malicious URL so the message will apper like a link
In the second image, the message is hyperlink with a malicious URLhen the user clicked this message user transfer founds execute.
HTTP Verb Tampering:
An HTTP verb tampering attack occurs when an attacker manipulates or modifies the HTTP verb used in a request to a web server. HTTP verbs (methods) include commonly used ones such as GET, POST, PUT, DELETE, etc. By manipulating the verb, the attacker is able to perform unauthorized actions or access restricted resources.
For example, they may attempt to change a POST request to a GET request, allowing them to change the password.
Here we see the password has been changed
