Advanced Ethical Hacking - Web Application Testing Tools Tutorial

Acquiring W3Af

We're going to require a w3af at this point. Now, w3af is a web application testing framework. It's kind of along the lines of Metasploit, except it's really designed for web testing. So, you can see I'm at And it's scheming through a little slideshow, you could see where we could download it and it's really geared as I said towards doing testing of web application.

So there are a lot of plugins and modules that are in w3af, they are really targeted At doing some pretty exhaustive testing of your web application. Now, I've actually got an Ubuntu Linux installation here and under Linux or Ubuntu Linux. The process of doing the installation is actually really easy.

So I'm just going to search for w3af and it should come back here with two versions. So there's w3af And W3AF console. So there's a graphical interface. And there's a console version or a text-based interface. So what I'm going to do, I'm going to install the full version so the graphical version. And we'll get the Console version, as well. So I've done the installation. It actually says I've got the newest version already. But that's how you would do the installation.

Under Ubuntu, you would do an apt-get install w3af. It goes and downloads the package, does the installation for you, and miraculously We've got the package. So what I can do once I've got it is I can just launch it from the command line here and it'll bring up the application for me so that I can actually go do the configuration and testing that I want to do with it.

So we'll look at doing the configuration coming up in the upcoming videos.

Installing W3Af

We want to be able to do some web application testing. And that means we need some tools to do that as well, of course, some manual techniques. Now there's a pretty good tool that's available called w3af. Now, w3af is kind of like the Metasploit in web application testing in that It's really a framework for developing plugins and exploits and being able to run a lot of different test against a particular web application server.

Now there are a number of different ways to get a copy of w3af and One of the ways is just using the get clone command under Linus BSD or Mac. Now there isn't a Windows version at the moment although there used to be. Now another way of actually getting W3AF is using Backtrack Linux. Or collie Linux.

Now backtrack is the penetration testing or forensics live CD. So it does a lot of security-oriented functions. And it's a live CD. You boot it up and you can run A lot of different security tools.

The current version is Kali Linux and this is the successor to backtrack. So this is another place where you could actually get and use w3ef. It actually comes installed on the backtrack or Kali Linux Live CD, so if you were to get a copy of Kali Linux you would just automatically get w3af as part of a whole package of security tools, and it's a pretty good thing to have in your tool chest. So having a copy of Backtrack Or Kali on a CD is something you can take anywhere with you boot up and just be working on a system wherever you happen to be.

So we're going to be looking at configuring and running W3AF coming up

Running W3Af

W3AF. And actually, I am in a Backtrack Lunnix virtual machine. So I've got backtrack Lunnix loaded up. I've actually got it installed on a hard drive rather than just simply booted up on a live CD which means I can actually make changes to the file system And have them stored across multiple reboots. So the first thing I'm going to do is I'm going to do a backtrack. I'm going to go to vulnerability assessment, web application assessment, web vulnerability scanners and I could do either a console version or the GUI version. I'm going to do the GUI versions just a little bit easier to work with because it has a lot of Things that we could actually make changes to. And in order to do that in the console, you have to go into an area, make a change, back out, go in, back out, go in, back out. It's just easier to do it in the GUI.

So we're here in the interface for w3af. And I would plug a target in here. You can see there is a number of profiles on the left under the Scan config and right here is where we've got the plugin groups and the list of plugins.

So you can see there's a lot of different plugins that are available and this really gives you a lot more control Then some of the commercial scanners. It also gives you the ability to add your own plugins if that's what you want to do. That's really what this is all about. It's an attack and audit framework. Which means you can add plugins. There are new plugins that get added by the developers on a semi-regular basis. And it does keep track of When there are updates. And allows you to download them. So there are a number of profiles that are preconfigured as I suggested. We had an empty profile here.

And I want to take a look at some of the others. I'm going to jump into a fast scan. And right now I'm in the fast scan. And fast scan will Just turn on some very basic plugin checks and you can see we've got cross-site scripting, sequel injection. There's a discovery set of plugins. And I don't see anything checked under discovery. Although there was something And there's not anymore.

So the thing about w3af is that sometimes the interface can be a little bit buggy and sometimes a little bit challenging to work with, but what you can certainly do is start with the empty profile And start plugging things in and we'll do that coming up next.

Configuring W3Af

What I want to do now is start building a set of checks that I want to do against a particular target. So I'm going to set my target here And I'm going to use that as my target. Now I want to set some audit plugins. We'll check for blind SQL injection. We can do some checking for some command injections. going to do some generic checks. And going to do some SQL injection here. And we'll do a cross-site scripting. Cross-site tracing. And cross-site request forgery.

Now I want to do a brute force, which is going to see if it can guess the username and password. And we're going to do some discovery here. Now one of the nice things that w3ef has is it has a directory brute force utility or tool. And what that does is it goes through and it tries to find directories that may be hidden by not having links from other pages in the website. So That can discover directories that are there that you may not actually see just doing a spider. So there are a number of plugins under here. We can do some things with Google. We can use the google hacking database. We can check for PHP And I actually want to do that.  And I'm going to run Picto which is a Python version of Nikto. And I think that's all I'm going to do right here, although you can see there's a lot of different Plugins that are available.

There are a URL fuzzer and a URL list. We can look for user directories, can check for differences in websites, there are evasion plugins that may allow you to get through different web application firewalls or other security checks. There's grep and mangle. And a lot of different things, but right now, we're just going to go with the very simple set of plugins that we've got here.

Now, all I have to do is click start and it immediately dumps us over to the log tab. We start to see that we're getting some responses, here. So, now we can go over to results, and we can see what we've got. Looks like we found something with PHP info. So, there was a PHP info file that was found, and we've got some vulnerabilities, based on some different PHP settings. Now, what I can do is With w3af, there's actually an exploit tab.

And what I can do is go over to the vulnerabilities and see whether there are Different exploits that are available, whether it's a div shell or a command injection using eval or File Upload, doing some SQL map or sql_webshell, remote file includes a shell. So there are potential ways that you may be able to gain access to the system through web application vulnerabilities.

And w3af actually gives you the ability to quickly jump in and see whether there's something there. So I could do an Exploit All Phones, for example. And I could run that against a remote file shell, include And at the moment we don't have any vulnerabilities that appear to be exploitable. But you can see we're chugging through here finding a number of different vulnerabilities and eventually we'll get to a point where we'll see some Results from the brute forcing attempt on the login form.

And we'll get a number of other vulnerabilities, just because there are a lot of vulnerabilities on this particular web page. But you can see very clearly all of the results here in the log tab. And if you want just the short and sweet you go to the results tab.

Then, once you're done you can hop over to the exploit tab and see whether there's anything exploitable or whether you just want to dig a little bit further into some of the results and see what we've got.

Acquiring And Configuring Zed Attack Proxy (ZAP)

We have talked a little bit about the open web applications security project OWASP previously and they're involved in a lot of different projects that have to do with web application security. One of the projects that they are involved with Is basically a web application scanner and what we've got is a Zed Attack Proxy and the short version of that is ZAP. So what I want to do is I want to download ZAP here.

So it's going to send me off to You can see we've got Linux versions, Windows versions, and we've got The ZAP API. And right here is what I want, is the Mac OS version. So I'm going to download that.

Now, this is primarily a Java-based application. And so it runs pretty much anywhere, and what it does is very similar to what we've looked at previously with Burp Suite, in that it's a proxy-based web application test program. So We can use ZAP to do the same sorts of things that we could do with Burpsuite but ZAP has some slightly different functionality and it works in a little bit different a sort of way.

On top of that, where Burp costs a small amount of money, the Zed Attack Proxy is actually free. So it's a fairly large package. It's going to take some time to download and what we can do while that's downloading is we can just take a look at some screenshots and see how they actually work. So you can see that we've actually got the same sort of thing here as we did with Burp Suite.

We've got the sites over here on the left, and this is a little bit different down at the bottom is where you see some of the results. And we've got an alert here and we've got the description and the solution. It's one of the nice things about these sorts of tools is not only do they tell you that there's a problem, but they give you the Ability to easily go in and do some fixing on it because they tell you how to go about fixing it. So here we've got a request and a response.

Now, OWASP actually allows you to set breakpoints Which is helpful because it will allow you to stop at particular points within the application, and see what's going on. I'm going to let ZAP continue to download at this point, and then we'll take a look at actually using it To do some testing with a web application.

Quick Start with ZAP

I've downloaded the Zed Attack Proxy at this point and the Zed Attack Proxy as it's named suggest that a proxy similar to burp suite and rad proxy and some other proxy Proxy-based testing tools. Now one of the things you can also do with Zed Attack Proxy is just simply do a quick start here. So I'm going to do a quick start against this particular site. So we're going to run an attack And you can see it very quickly does some work about getting information. So it does a quick spider and then it runs a number of checks to see wether its got some vulnerabilities or not. So you can see we've actually flagged some vulnerabilities and this is a much quicker way of getting going than setting up a web browser to go through this particular proxy doing all of this workaround going to the site and poking around a little bit to get started and then do the spider that way.

This quick start here makes it much faster just to get going. So if I were to look at Alerts I could see all of the alerts that I've got here. Looks like we've got some cross site scripting that we're vulnerable to and some Directory browsing. It looks like we've find an There are some other issues here that you may or may not worry about depending on what your tolerance for this particular risk is.

So cookies set with http only flag, meaning There is a cookie that could be accessed using some other protocol other than just HTTP. So, JavaScript, for example, may be able to read a cookie, rather than just doing an HTTP cookie request, and having the browser handle it JavaScript would give you programmatic access to the cookie and cookies can store a lot of data including things like usernames and passwords, credit card information, various other session credentials.

A lot of different things get stored in cookies, so if you don't have that HTTP only flag set in your web application, you may actually be vulnerable to Somebody doing some cookie stealing or cookie hijacking. So this is how you would do a quick start using the Zed Attack Proxy. You just plug your site in, have it go, it does some quick spiders and just some basic checks and that's how you would get some very quick results using ZAP.

Scanning with ZAP

So we want to take a look at some of the different ways that we can do scanning using the Zed Attack Proxy. So we've got the site that we've been working with up here. And I've actually got a directory that I have selected. And if I right-click on this. And select attack. I want to do a forced browse directory. So I've actually got a list that I have selected here. There are a number of lists that I could chose from based on the size.

Of course the larger size means it's going to take a lot longer. So what it's doing now is It's doing some brute force checking to see what different directories may be available that didn't show up in a spider, so we're just doing some guesses on what directories we think may actually be there. So We're going through and we've found a number of directories here and we're only 7% in at this point.

Now, that's just one way of doing an attack. I could also do this right here. I could select the top URL there in my site listing And I could do an active scan on the site.

Now, I've got a forced browse going, then I'm also doing an active scan. So the scan is going through and it's actually looking for vulnerabilities, so we're checking for cross-site scripting, we're checking for SQL injection, we're checking for Basically all of the known web application vulnerability types. And we're checking all of the pages. You can see here is the list of all of the pages that it's gone and checked. And here's the parameters for these URL parameters that it's passed in. So we can take a look at Any of the requests that have been sent. And right here is the request, and we can take a look at the response. And we actually got an index page back. Now I could go back and take a look at alerts, and see whether we've gotten anything else back here.

We've got a private IP disclosure, which Is pretty meeting less because I'm on a private network using a private IP range of course everything that shows up is an IP as going to be a private IPs. So this ones not really worth looking at at all. So there are lot of different ways I can do attacks using Zed Attack Proxy. I could do an Ajax spider, I could do a forced browse, which may turn up a lot of directories and pages that I hadn't seen otherwise, I could do a spider and of course I could do the active scan. Now there's some other capabilities of Does that attack proxy as well and we'll take a look at those coming up.

Spidering with ZAP

So we've done a quick start using the ZED attack proxy. And the quick start is really just as easy as plugging a URL in and hitting attack. You don't have to configure a browser to do this. It makes it really easy. It does the spider and then it does the scan for vulnerabilities. Now, the ZAP attack proxy is really good about giving you the request and the response. So if I clicked on this page right here, you can see the request that was issued to get that page. So we've got the get request, and then here's all of the other HTTP headers. We're using a user agent of Mozilla and pretending to be Windows XP right here. So I can also look at the response. And here's the HTTP headers that I got in the response.

And now here's the HTML that I got in the response as well. So that's how you would take a look at the information that you get back, from the request to the response.

And what I want to also show you here is just how to do a quick spider.

So if I right-click on The host that I want to look at. And I select attack I could do a spider site. And since I've got the site selected I may as well do a spider site. But there are other types of spiders that I could do and it would alter the context of the Spider that I'm going to be doing. Now what a spider is is where you go grab a page, you find links on that page, you follow those links, get more links, and so on and so forth until you've got all of the pages that you can find within that particular site.

Now what we've done here is we've limited the scope to that particular site which means when you a link like for example, it gets flag as out of scope and you can see the red button here indicates it wasn't process. So we didn't actually go to these pages because they're out of scope, they don't belong To the particular site that we were just looking at. So a spider is one of the first things that you want to do so you can get all of the pages within the site. So now I've got the list of all of the pages within that site and, as I noted before.

You can go take a look at the requests and the responses and see how Zap actually interacted with the web server.

Fuzzing With ZAP

One last thing to take a look at here is doing some fuzzing with Zed Attack Proxy. Now, this is similar to some of the attacks that we were doing with Burp Suite, and doing some intruder sorts of things.

So, fuzzing Gives me the ability to actually do some playing around with different parameters. So you can see I've actually got a request here. I've got a get on this union one dot PHP. We can see that there are two parameters, there's an admin and a union name.

So What I want to do here is I actually want to play with the admin parameter. So I'm going to select that parameter and then I'm going to select fuzz. Now I've got some categories here. I'm actually going to Select SQL injection just for fun here. And now we'll pick one of the fuzzers to use. We'll use active SQL injection. And now I can do a fuzz.

So I've got 200 okays coming back from all of these and if I select one of them You can see the request that was sent. Now lets take a look at the response and see what we've got for data. So we've actually got a sequel error here. We've got access denied for user root at local host So we're getting some interesting information back because it looks like there may be some possibilities for doing sequel injection.

Since we're actually getting a sequel error back from the attack that we're running. So maybe what we want to do Is we're going to go back to the request here and I'm going to go back to. I'm going to select admin again Then, I'm going to select the parameter all the way up to Union Name and I'm going to do Fuzz again and this time I'm going to do SQL Injection and I'm going to do My sequel injection. And we're just going to run that fuzz. So what did I get for a response here? Because it looks like I've got successful here, and I've got a state of reflected.

So let's take a look at what we got. Well what we got is actually Just the error message again. If I take a look at successful one of these over here, again, we're still getting error messages. But that gives me some hints that maybe there's some vulnerabilities with SQL Injection in these particular parameters.

And it may just take some more work and digging to see What I can do and maybe get around this access denied error somehow. So that's how you would do fuzzing, and be able to quickly and easily do a lot of parameter adjustments in a pretty short period of time.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*