Before you can start testing a Web App’s security, it’s a good idea to first learn more about what the Web App is, how it functions, what a normal user can do with it and importantly, how it’s built. It’s no good trying to run an exploit built for a PHP application if your target is written in Java.
One of the first things I do when I start testing a Web App is to scan for directories. Often you’ll find directories that aren’t necessarily easily accessible just by clicking around, so a directory scanning tool comes in handy to find them for you.
I’ve already got a metasploitable server running in VirtualBox. Install Gobuster and run the following command:
$ gobuster dir -u http://22.214.171.124 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
I wont go into depth explaining how gobuster works, but this command tells it to scan the URL (with -u) and -w picks the wordlist to use. Gobuster, similar to password cracking tools, uses Wordlists of commonly named files and folders to “brute force” scan for the directories on a server. The scan will likely take a few minutes, however you’ll start to see found directories pretty quick.
While this is running I’ll fire up BurpSuite and set it up to Proxy my web browser. Burp is already installed on Kali Linux and Firefox is easy to configure the proxy settings. I like to use the browser extension FoxyProxy to make activating and deactivating the proxy nice and easy.
Burp’s far too powerful to go into in a single post, but there’s some awesome learning materials online. I can recommend the Introduction to Burp over at BugCrowd University and also TryHackMe have some good learning materials as well.
Just turning Burp on (with Intercept OFF) and clicking around the site gathers a lot of useful information about how the site is structured and how it passes data back and forth between the client and the server. I wouldn’t recommend trying to tamper with anything just yet, this is a fact finding mission at the moment.
Make sure to keep checking back on Gobuster to see how it’s going.
Another good tool to use is Nitko. Nikto is a Web scanner that gathers information, including potential vulnerabilities about an application. This is also worth letting run in the background, depending on the size of the application it could take a while.
And of course, nmap can scan your target and find open ports and running services that may or may not be related to the application you’re targeting. I’d just advise here to check your scope, make sure you’re authorised to scan ports other than HTTP/HTTPS.
While this post wasn’t intended to demonstrate how to Pentest a Web Application, I hope it showed some techniques and tools to use during the discovery phase of a Pentest. These tools will allow you to map the application structure, find software versions and open ports or hidden directories to investigate and hopefully locate some vulnerabilities that can be exploited in the next phase.