Web App Enumeration

Before you can start testing a Web App’s security, it’s a good idea to first learn more about what the Web App is, how it functions, what a normal user can do with it and importantly, how it’s built. It’s no good trying to run an exploit built for a PHP application if your target is written in Java.

Enumeration is one of the first steps you’ll conduct when assessing the security of a Web Application and is essentially a process of trying to understand the application you’re working with. Enumeration is the process of studying the blueprints, mapping all the doors and windows, and looking for all the potential entry points.

One of the first things you’ll do when testing a Web App is to scan the app looking for directories or hidden pages. Often you’ll find content that isn’t necessarily easily accessible just by clicking around, so a directory scanning tool comes in handy to find them for you.

In this demo I’ll show how gobuster works to start building a map of the application. Gobuster is a brilliant tool written in the Go programming language.

I’ve already got a metasploitable server running in VirtualBox. Install Gobuster and run the following command:

This command tells it to scan the URL (with -u) and -w picks the wordlist to use. Gobuster, similar to password cracking tools, uses Wordlists of commonly named files and folders to “brute force” scan for the directories on a server. The scan will likely take a few minutes, however you’ll start to see found directories pretty quick.

While this is running I’ll fire up BurpSuite and set it up to Proxy my web browser. Burp is already installed on Kali Linux and Firefox is easy to configure the proxy settings. I like to use the browser extension FoxyProxy to make activating and deactivating the proxy nice and easy.

Burp’s far too powerful to go into in a single post, but there’s some awesome learning materials online. I can recommend the Introduction to Burp over at BugCrowd University and also TryHackMe have some good learning materials as well.

Just turning Burp on (with Intercept OFF) and clicking around the site gathers a lot of useful information about how the site is structured and how it passes data back and forth between the client and the server. We aren’t trying to tamper with anything just yet, this is a fact finding mission at the moment.

Make sure to keep checking back on Gobuster to see how it’s going.

Another good tool to use is Nitko. Nikto is a Web scanner that gathers information, including potential vulnerabilities about an application. This is also worth letting run in the background, depending on the size of the application it could take a while.

And of course, nmap can scan your target and find open ports and running services that may or may not be related to the application you’re targeting. I’d just advise here to check your scope, make sure you’re authorised to scan ports other than HTTP/HTTPS.

You should be taking plenty of notes of your findings, including screenshots and links to any pages or directories you discover. Everything you find could potentially lead to something down the track when you start actively testing the application.

While this post wasn’t intended to demonstrate how to Pentest a Web Application, enumeration is one of the first, and often more important parts of the pentesting process. I hope this post showed some techniques and tools to use during the discovery phase of a Pentest to will allow you to map the application structure, find software versions and open ports or hidden directories to investigate and hopefully locate some vulnerabilities that can be exploited in the next phase.

See also