Penetration Testing Training

Web Application Penetration Testing – Part 3

This blog post series will be covering the topic of performing Web Application Penetration Tests. Web Application Penetration Testing Part 1 and Part 2 focused on gathering information about the web server, the web application and its framework. Each one of the previous posts mentioned at the beginning, a few basic theory concepts on the Web and the HTTP protocol that you should be able to understand and study further in order to excel at Web Application Penetration Testing.
In this third part we will continue using the same structure as we did in the previous blog posts. We are going to mention a few basic theory concepts regarding the WEB at the beginning of our post and then we will focus on the Dirbusting technique.

HTTP is a stateless protocol

HTTP is a stateless protocol. A stateless protocol does not require the HTTP server to retain information or status about each user for the duration of multiple requests. Each request sent to the server is treated as a new request. The server knows nothing about the previous requests when receiving a new request. Web applications implement states or server-side sessions using for instance HTTP cookies, basic authentication or hidden variables within web forms to remember who you are. Otherwise, you’d have to reenter your credentials for every HTTP request sent.

https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

Page Structure – HTML

Hypertext Markup Language (HTML) is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript. Web browsers receive HTML documents from a web server or from local storage and render the documents into multimedia web pages. HTML describes the structure of a web page semantically and originally included cues for the appearance of the document.

https://en.wikipedia.org/wiki/HTML

Styles and Layout – Cascading Style Sheets (CSS)

Cascading Style Sheets (CSS) is a style sheet language used for describing the presentation of a document written in a markup language like HTML. CSS is a cornerstone technology of the World Wide Web, alongside HTML and JavaScript. CSS is designed to enable the separation of presentation and content, including layout, colors, and fonts. This separation can improve content accessibility, provide more flexibility and control in the specification of presentation characteristics, enable multiple web pages to share formatting by specifying the relevant CSS in a separate .css file, and reduce complexity and repetition in the structural content.

https://en.wikipedia.org/wiki/Cascading_Style_Sheets

Dynamic Functionality – Javascript

JavaScript often abbreviated as JS, is a high-level, just-in-time compiled, object-oriented programming language that conforms to the ECMAScript specification. JavaScript has curly-bracket syntax, dynamic typing, prototype-based object-orientation, and first-class functions. Alongside HTML and CSS, JavaScript is one of the core technologies of the World Wide Web. JavaScript enables interactive web pages and is an essential part of web applications. The vast majority of websites use it, and major web browsers have a dedicated JavaScript engine to execute it.

https://en.wikipedia.org/wiki/JavaScript

Web API – Document Object Model (DOM)

The Document Object Model (DOM) connects web pages to scripts or programming languages by representing the structure of a document—such as the HTML representing a web page—in memory. Usually that means JavaScript, although modeling HTML, SVG, or XML documents as objects is not part of the JavaScript language, as such. The DOM is cross-platform and language-independent. The DOM represents a document with a logical tree. Each branch of the tree ends in a node, and each node contains objects. DOM methods allow programmatic access to the tree; with them one can change the structure, style or content of a document. Nodes can have event handlers attached to them. Once an event is triggered, the event handlers get executed.

https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model
https://en.wikipedia.org/wiki/Document_Object_Model

Dirbusting

Dirbusting is brute forcing a target with predictable folder and file names and monitoring HTTP-responses to emumerate server contents. This information can be used both for finding default files and attacking them, and for fingerprinting the web application. If there is a robots.txt file, except from checking each one of the listed folders in the robots.txt file for any sensitive information leakage, you should brute-force each one of these folders to identify more predictable folders and files.

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

Burp Suite Intruder

Burp Intruder is a tool for automating customized attacks against web applications. It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.

https://portswigger.net/burp/documentation/desktop/tools/intruder/getting-started

Dirstalk

Dirstalk is a multi-threaded application designed to brute force paths on web servers. The tool contains functionalities similar to the ones offered by dirbuster and dirb.

https://github.com/stefanoj3/dirstalk

FuzzDB

FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing. It’s the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses. FuzzDB is like an application security scanner, without the scanner. Some ways to use FuzzDB:

  • Website and application service black-box penetration testing with
  • OWASP Zap proxy’s FuzzDB Zap Extension
  • Burp Proxy’s intruder tool and scanner
  • PappyProxy, a console-based intercepting proxy
  • To identify interesting service responses using grep patterns for PII, credit card numbers, error messages, and more
  • Inside custom tools for testing software and application protocols
  • Crafting security test cases for GUI or command line software with standard test automation tools
  • Incorporating into other Open Source software or commercial products
  • In training materials and documentation
  • To learn about software exploitation techniques
  • To improve your security testing product or service

https://github.com/fuzzdb-project/fuzzdb

Directories Dirbusting with Dirstalk

Open a terminal and execute the following command. You should adjust each of the parameters according to your project’s needs.

./dirstalk scan http://example.com/ --dictionary /opt/fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-directories-lowercase.txt --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" --scan-depth 5 --threads 10 --out dirstalk-results.json --http-statuses-to-ignore 404 --http-timeout 2000
  • scan – scan the given URL.
  • –dictionary – dictionary to use for the scan.
  • –user-agent – user agent to use for http requests.
  • –scan-depth – scan depth.
  • –threads – amount of threads for concurrent requests.
  • –out – path where to store result output.
  • –http-statuses-to-ignore – comma separated list of http statuses to ignore when showing and processing results; eg: 404,301.

Directories list used: https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-directories-lowercase.txt

Files Dirbusting with Dirstalk

When you discover a directory, you should scan it with dirstalk and a list of known filenames. Open a terminal and execute the following command.

./dirstalk scan http://example.com/wp-admin/ --dictionary /opt/fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-files-lowercase.txt --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" --scan-depth 1 --threads 10 --out dirstalk-files-results.json --http-statuses-to-ignore 404,500 --http-timeout 3000

Files list used: https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-files-lowercase.txt

Directories Dirbusting with Burp Intruder

Start your Burp Suite. Open the Intruder tab and type your GET request. Load the raft-large-directories-lowercase.txt list, adjust your Options, e.g. 10 threads, and hit “Start attack”.

GET /blog/ HTTP/1.1
Host: 192.168.5.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Files Dirbusting with Burp Intruder

Start your Burp Suite. Open the Intruder tab and type your GET request. You should enter here a directory discovered from the previous step e.g. “wp-admin” and then load the raft-large-files-lowercase.txt list. You should adjust your Options according to your needs, e.g. 10 threads. Hit “Start attack” to launch the brute-force attack.

GET /blog/wp-admin/ HTTP/1.1
Host: 192.168.5.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1