Penetration Testing Training

Web Application Penetration Testing – Part 2

This blog post series will be covering the topic of performing Web Application Penetration Tests. In part one of this series, we focused on gathering information about the web server. In this second part we will continue covering the information gathering phase of the Web Application Penetration Testing engagement and some more basic knowledge on the Web and the HTTP protocol.

HTTP Request

This is a GET request to the web site’s root path /.


The HTTP/1.1 indicates the use of HTTP protocol version 1.1.


The Host request-header field specifies the domain name of the server and (optionally) the TCP port number of the resource being requested. If no port is given, the default port for the service requested is implied. Don’t forget that a single IP address can host multiple host names (virtual hosting).


The User-Agent request-header field contains information about the user agent originating the request. It allows servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.


The Accept request-header field can be used to specify certain media types which are acceptable for the response. In details, it advertises which content types, expressed as MIME types, the client is able to understand. Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice with the Content-Type response header.


The Accept-Language request-header field is similar to Accept, but restricts the set of natural languages that are preferred as a response to the request. It advertises which languages the client is able to understand, and which locale variant is preferred.


The Connection general-header field allows the sender to specify options that are desired for that particular connection. It controls whether or not the network connection stays open after the current transaction finishes. If the value sent is keep-alive, the connection is persistent and not closed, allowing for subsequent requests to the same server to be done.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

HTTP Response

This is the response to our request.


The HTTP/1.1 indicates the use of HTTP protocol and version 1.1.


The Content-Type entity-header field indicates the media type of the returned content.


The Server header contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens and comments identifying the server and any significant subproducts. Overly long and detailed Server values should be avoided as they potentially reveal internal implementation details that might make it (slightly) easier for attackers to find and exploit known security holes.


The Set-Cookie HTTP response header is used to send cookies from the server to the user agent, so the user agent can send them back to the server later.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Meta Tags

Metadata is data (information) about data. The tag provides metadata about the HTML document. Metadata will not be displayed on the page, but will be machine parsable. Meta elements are typically used to specify page description, keywords, author of the document, last modified, and other metadata. The metadata can be used by browsers (how to display content or reload page), search engines (keywords), or other web services.

<head>
  <meta charset="UTF-8">
  <meta name="description" content="Free Web tutorials">
  <meta name="keywords" content="HTML,CSS,XML,JavaScript">
  <meta name="author" content="John Doe">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>

https://www.w3schools.com/tags/tag_meta.asp

The HTML head Element

The head element is a container for metadata (data about data) and is placed between the html tag and the body tag. HTML metadata is data about the HTML document. Metadata is not displayed. Metadata typically define the document title, character set, styles, scripts, and other meta information. The following tags describe metadata: title, style, meta, link, script, and base.

<head>
 <title>Page Title</title>
<meta charset="UTF-8">
<meta name="description" content="Free Web tutorials">
<meta name="keywords" content="HTML, CSS, XML, JavaScript">
<meta name="author" content="John Doe">
<meta http-equiv="refresh" content="30">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="mystyle.css">
<script src="/_js/jquery-1.12.4.min.js"></script>
<style>
  body {background-color: powderblue;}
  h1 {color: red;}
  p {color: blue;}
</style>

<script>
function myFunction {
  document.getElementById("demo").innerHTML = "Hello JavaScript!";
}
</script>
<base href="https://www.w3schools.com/images/" target="_blank">
</head>

https://www.w3schools.com/tags/tag_head.asp

Webpage comments

The comment tag is used to insert comments in the source code. Comments are not displayed in the browsers. You can use comments to explain your code, which can help you when you edit the source code at a later date. This is especially useful if you have a lot of code. With comments you can place notifications and reminders in your HTML. Comments are also used for debugging HTML, because you can comment out HTML lines of code, one at a time, to search for errors.

<!--This is a comment. Comments are not displayed in the browser-->

https://www.w3schools.com/html/html_comments.asp

HTTP Headers

HTTP headers let the client and the server pass additional information with an HTTP request or response. HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value. Whitespace before the value is ignored.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

HTTP cookie

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit-card numbers.

Cookies are mainly used for three purposes, Session management, Personalization and Tracking.

https://en.wikipedia.org/wiki/HTTP_cookie
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Nmap Tool

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use etc.

https://nmap.org/

Wappalyzer Firefox Addon

Wappalyzer is a browser extension that identifies software on websites.

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

WhatWeb

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

https://github.com/urbanadventurer/WhatWeb

Review webpage comments and metadata for information leakage using your browser

Open your favorite browser and navigate to the application. Right click to open the html source and review the HTML metadata. Keep notes of everything interesting, such as third-party libraries versions.

Review webpage comments and metadata for information leakage using Burp Repeater

Start your Burp Suite. Open the Repeater tab and type the following:

GET / HTTP/1.1
Host: juice-shop.herokuapp.com
Hit Send.

Retrieve third-party libraries versions using Firefox and Wappalyzer

You can use Wappalyzer addon to retrieve web server information, any third-party libraries versions and also fingerprint the Web Application’s Frameworks. After identifying third-party libraries and the web application framework, search for known vulnerabilities and the appropriate exploits to use.

Open the Firefox browser and navigate to the application. Click on Wappalyzer addon icon.

Retrieve webserver information and third-party libraries using WhatWeb

You can use WhatWeb tool to retrieve web server information, any third-party libraries versions and also fingerprint the Web Application’s Frameworks.

Webserver application service enumeration

Open a terminal and execute the nmap command, “nmap -sS -n -vv -Pn -p443 -sV -O –reason -oA tcp_web_server_juice-shop juice-shop.herokuapp.com”.

Web application Fingerprinting

Web application Fingerprinting is the process of identifying the web application technology and its version. You can then search the web for known vulnerabilities and the appropriate exploits to use. Some easy and relatively reliable ways to identify a web application, are the following.

Review the application-specific cookies

The following screenshot demonstrates a response from a web server that hosts a WordPress website.

Review Cookies

Open Firefox menu and click on the web developer menu.

Open the Storage Inspector tool.

Review the Web application’s cookies.

Look at the application’s HTML source code.

  • Search for interesting HTML comments,
  • Check for the existence of certain application-specific files and folders such as “/wp-admin/” and “/wp-content/” and
  • Review meta tags