This blog post series will be covering the topic of performing Web Application Penetration Tests. Web Application Penetration Testing Part 1 and Part 2 focused on gathering information about the web server, the web application and its framework. Each one of the previous posts mentioned at the beginning, a few basic theory concepts on the Web and the HTTP protocol that you should be able to understand and study further in order to excel at Web Application Penetration Testing.
In this third part we will continue using the same structure as we did in the previous blog posts. We are going to mention a few basic theory concepts regarding the WEB at the beginning of our post and then we will focus on the Dirbusting technique.
HTTP is a stateless protocol
HTTP is a stateless protocol. A stateless protocol does not require the HTTP server to retain information or status about each user for the duration of multiple requests. Each request sent to the server is treated as a new request. The server knows nothing about the previous requests when receiving a new request. Web applications implement states or server-side sessions using for instance HTTP cookies, basic authentication or hidden variables within web forms to remember who you are. Otherwise, you’d have to reenter your credentials for every HTTP request sent.
Page Structure – HTML
Styles and Layout – Cascading Style Sheets (CSS)
Web API – Document Object Model (DOM)
Dirbusting is brute forcing a target with predictable folder and file names and monitoring HTTP-responses to emumerate server contents. This information can be used both for finding default files and attacking them, and for fingerprinting the web application. If there is a robots.txt file, except from checking each one of the listed folders in the robots.txt file for any sensitive information leakage, you should brute-force each one of these folders to identify more predictable folders and files.
Burp Suite Intruder
Burp Intruder is a tool for automating customized attacks against web applications. It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.
Dirstalk is a multi-threaded application designed to brute force paths on web servers. The tool contains functionalities similar to the ones offered by dirbuster and dirb.
FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing. It’s the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses. FuzzDB is like an application security scanner, without the scanner. Some ways to use FuzzDB:
- Website and application service black-box penetration testing with
- OWASP Zap proxy’s FuzzDB Zap Extension
- Burp Proxy’s intruder tool and scanner
- PappyProxy, a console-based intercepting proxy
- To identify interesting service responses using grep patterns for PII, credit card numbers, error messages, and more
- Inside custom tools for testing software and application protocols
- Crafting security test cases for GUI or command line software with standard test automation tools
- Incorporating into other Open Source software or commercial products
- In training materials and documentation
- To learn about software exploitation techniques
- To improve your security testing product or service
Directories Dirbusting with Dirstalk
Open a terminal and execute the following command. You should adjust each of the parameters according to your project’s needs.
./dirstalk scan http://example.com/ --dictionary /opt/fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-directories-lowercase.txt --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" --scan-depth 5 --threads 10 --out dirstalk-results.json --http-statuses-to-ignore 404 --http-timeout 2000
- scan – scan the given URL.
- –dictionary – dictionary to use for the scan.
- –user-agent – user agent to use for http requests.
- –scan-depth – scan depth.
- –threads – amount of threads for concurrent requests.
- –out – path where to store result output.
- –http-statuses-to-ignore – comma separated list of http statuses to ignore when showing and processing results; eg: 404,301.
Files Dirbusting with Dirstalk
When you discover a directory, you should scan it with dirstalk and a list of known filenames. Open a terminal and execute the following command.
./dirstalk scan http://example.com/wp-admin/ --dictionary /opt/fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-files-lowercase.txt --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" --scan-depth 1 --threads 10 --out dirstalk-files-results.json --http-statuses-to-ignore 404,500 --http-timeout 3000
Directories Dirbusting with Burp Intruder
Start your Burp Suite. Open the Intruder tab and type your GET request. Load the raft-large-directories-lowercase.txt list, adjust your Options, e.g. 10 threads, and hit “Start attack”.
GET /blog/ HTTP/1.1 Host: 192.168.5.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
Files Dirbusting with Burp Intruder
Start your Burp Suite. Open the Intruder tab and type your GET request. You should enter here a directory discovered from the previous step e.g. “wp-admin” and then load the raft-large-files-lowercase.txt list. You should adjust your Options according to your needs, e.g. 10 threads. Hit “Start attack” to launch the brute-force attack.
GET /blog/wp-admin/ HTTP/1.1 Host: 192.168.5.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1