Pen Testing Web Applications 101

There are several tools that should be in every web application pen testers tool kit. I will spend a little time talking about each of these and what functions they perform. I cannot hope to cover all the topics of Web App Pen Testing in one blog post. This is my essential list of tools that is use. If anyone has any ideas or thinks i may missed anything then please add it to the comments. Id love to know what other people use and think is relevant. If you are new to pen testing web apps then this post should get you started.

My main tool to start pen testing a web application is FireFox, loaded down with a ton of extensions. You have to interact with the application as a user and not just turn your favorite scanner loose on it. I have never found anything with a scanner that i would not have found by manually testing the application. I have, however, found many more vulnerabilities that the scanners could never dream of. My list of extensions follows:
  1. TamperData - Its a quick and dirty local proxy that allows you to intercept requests and modify them before submitting them to the server.
  2. WebDeveloper Tool Bar - Essential. Allows you quick access to view page source, see form details, display and modify hidden fields, etc.
  3. Add N Edit Cookies - Great for cookie poisoning... it allows you to edit cookies. Nuff said.
  4. ShowIP- Displays the ip address of the server you are connected to as well as hot links to tools on dnsStuff.com.
  5. FoxyProxy - Allows you to switch proxies on the fly or by pattern. I don't know what i would do with out this. I use it to switch between my corp proxy at work and home, WebScarab or Burp, create patterns so that the site i'm testing always goes though WebScarab but any other site goes direct.
A local proxy is essential for testing any web application. These allow you to perform a Man In the Middle attack on your own browser session. This is useful in bypassing client side validations like limiting the number of characters in an inputbox or javasctipt that checks for numeric only characters. These also allow you to poison cookies, change GET to POST, tamper with the Headers, add POST parameters, modify hidden fields, any part of the http request can be modified before submitting it to the server. Below is a list of proxies i prefer.
  1. WebScarab - allows importing of WSDL's for fuzzing web services, spider functionality , manual requests, and session id analysis, encoding/decoding features.
  2. Burp Suite - spider functionality, replay requests, fuzzing features.
  3. TamperData - more limited of the 3 but has some great features. Do not have to change your proxy setting to use it, has XSS and SQL injection presets, encoding/decoding features. Does not have functionality to modify raw http requests.
Other OpenSource Tools
  1. Nikto - Looks for vulnerabilities in web servers.
  2. w3af - Web Attack and Auditing Framework. Im still testing this out at the moment. It provides checks for common web application vulnerabilities like SQL injection, XSS, url guessing, etc and generates an html report on the findings.
  3. netcat - a networking utility to read and write data to network connections.
Gray Matter
This is the most important tool. Really understand how the application is built and what technologies it employs. Understand the authorization model, what type of data does the application handle, how is it stored, who has access to the data, what are all the possible entry points into the application (i.e. flat files, external databases, JMS...), what is the password policy, how many failed login attempts before lockout, are there audit and logging mechanizes. You have to understand the box to think outside of it.

Error messages are your friend. Try using all the tools above to inject data into the application that it is not expecting and see how it reacts. If you have source code then you can see what will work and what will not. Try to forcefully browse to urls that are either outside your role or without even logging in. I have been granted access to all the admin features of many applications just because the developers didn't think that people can guess URLs and did not validate the sessions before performing updates.
Look for urls that update data. Try injecting SQL characters link a tick mark into the POST parameters of these and observe how the application reacts. Always try logging in with pwnd' OR 1=1 -- or a variation like pwnd' OR '1'='1' and rownum=1 -- .
Study how the application is using cookies and sessions. How much data is stored server side vs client side(i.e. browser). Anything sent to the client can be modified before resubmitting it to the server.

I hope this in informative to some people. This is what seems to work well for me. Again i would love to hear about what other people use so please feel free to leave comments.

Slashdot Slashdot It!


Anonymous said...

If you are looking for more information on TamperData I have written the following post on how to use it more effectively.
SamuraiNet Blog

Term Papers said...

Your article is well written. Cant wait to read more

Indianapolis Craigslist said...

Your post is really good. This is one of the highly informative and attractive blogs that has not only educated also informed me in a very effective manner. There are very few blog like this one I have read. Thanks for sharing such a valuable information with us.