SlideShare a Scribd company logo

Web Application Penetration Testing.pdf

B
barayapaten

Web Application Penetration Testing (pengujian penetrasi aplikasi web) adalah proses simulasi serangan siber dunia nyata pada aplikasi web Anda untuk mengidentifikasi dan mengatasi kerentanannya. Dalam pengujian ini, para ahli keamanan siber memeriksa aplikasi web, situs web, atau layanan web untuk menemukan ancaman potensial yang dapat dieksploitasi oleh penjahat siber 123. Berikut adalah langkah-langkah umum dalam melakukan pengujian penetrasi aplikasi web: Pahami Tujuan: Tentukan tujuan pengujian. Apakah Anda ingin mengidentifikasi kerentanan, menguji keamanan aplikasi, atau mengevaluasi kepatuhan terhadap standar keamanan tertentu? Identifikasi Target: Pilih aplikasi web yang akan diuji. Pastikan Anda memiliki izin dari pemilik aplikasi sebelum memulai pengujian. Informasi Awal: Kumpulkan informasi tentang aplikasi web, termasuk arsitektur, teknologi yang digunakan, dan alamat URL. Analisis Keamanan: Lakukan analisis keamanan dengan mengidentifikasi kerentanan potensial seperti SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), dan lainnya. Uji Manual: Lakukan pengujian manual dengan mengikuti skenario serangan yang mungkin dilakukan oleh penyerang. Ini melibatkan eksplorasi aplikasi, mengirim permintaan palsu, dan memeriksa tanggapan. Uji Otomatis: Gunakan alat otomatis untuk mengidentifikasi kerentanan secara lebih efisien. Beberapa alat populer termasuk OWASP ZAP, Burp Suite, dan Nessus. Laporan Hasil: Setelah selesai, buat laporan yang berisi temuan kerentanan, tingkat keparahan, dan rekomendasi perbaikan. Ingatlah bahwa pengujian penetrasi aplikasi web sangat penting untuk melindungi aplikasi Anda dari ancaman siber.

Education
1 of 25
Download to read offline
Web Penetration Testing
What is a Website How to hack a Website? DNS server Facebook.com 195.44.2.1 Html Website ● Computer with OS and some servers. ● Apache, MySQL ...etc ● Contains web application. ● PHP, Python ...etc ● Web application is executed here and not on the client’s machine 195.44.2.1
What is a Website ● An application installed on a computer . → web application pentesting ● Computer uses an OS + other applications → server side attacks. ● Managed by humans → client side attacks. How to hack a Website?
Information Gathering ● IP address. ● Domain name info. ● Technologies used. ● Other websites on the same server. ● DNS records. ● Unlisted files, sub-domains, directories.
1. Whois Lookup - Find info about the owner of the target. → http://whois.domaintools.com/ 2. Netcraft Site Report - Shows technologies used on the target. → http://toolbar.netcraft.com/site_report?url= 3. Robtex DNS lookup - Shows comprehensive info about the target website. → https://www.robtex.com/ Information Gathering
● One server can serve a number of websites. ● Gaining access to one can help gaining access to others. To find websites on the same server: 1. Use Robtex DNS lookup under “names pointing to same IP”. 2. Using bing.com, search for ip: [target ip] Information Gathering Websites on the same server
Information Gathering ● Subdomain.target.com ● Ex: beta.facebook.com Knock can be used to find subdomains of target 1. Download it > git clone https://github.com/guelfoweb/knock.git 2. Navigate to knock.py. > ce knock/knock.py 3. Run it > python knock.py [target] Subdomains
Information Gathering ● Find files & directories in target website ● A tool called drib. > dirb [target] [wordlist] [options] For more info run > man dirb Files + Directories
Exploitation ● Simples type of vulnerabilities. ● Allow users to upload executable files such as php. Upload a php shell or backdoor, ex: weevly 1. Generate backdoor > weevly generate [passord] [file name] 2. Upload generated file. 3. Connect to it > weevly [url to file] [password] 4. Find out how to use weevly > help File Upload Vulns
Exploitation ● Allows an attacker to execute OS commands. ● Windows or linux commands. ● Can be used to get a reverse shell. ● Or upload any file using wget command. ● Code execution commands attached in the resources. Code Execution Vulns
Exploitation ● Allows an attacker read ANY file on the same server. ● Access files outside www directory. Local File Inclusion
Exploitation ● Similar to local file inclusion. ● But allows an attacker read ANY file from ANY server. ● Execute php files from other servers on the current server. ● Store php files on other servers as .txt Remote File Inclusion
Mitigation 1. File Upload Vulns - Only allow safe files to be uploaded. 2. Code Execution Vulns: ● Don’t use dangerous functions. ● Filter use input before execution. 3. File inclusion: ● Disable allow_url_fopen & allow_url_include. ● Use static file inclusion.
Exploitation - SQL Injection ● Most websites use a database to store data. ● Most data stored in it (usernames, passwords ..etc) ● Web application reads, updates and inserts data in the database. ● Interaction with DB done using SQL. What SQL ?
Exploitation - SQL Injection 1. They are everywhere. 2. Give access to the database → sensitive data. 3. Can be used to read local files outside www root. 4. Can be used to log in as admin and further exploit the system. 5. Can be used to upload files. Why are they so dangerous
Exploitation - SQL Injection ● Try to break the page. ● Using ‘and’, ‘order by’ or “ ‘ ”. ● Test text boxes and url parameters on the form http://target.com/page.php?something=something Discovering SQLi
Exploitation - SQL Injection ● Tool designed to exploit sql injections. ● Works with many db types, mysql, mssql ...etc. ● Can be used to perform everything we learned and more! > sqlmap --help > sqlmap -u [target url] SQLmap
Preventing SQLi ● Filters can be bypassed. ● Use black list of commands? Still can be bypassed ● Use whitelist? Same issue → Use parameterized statements, separate data from sql code.
Exploitation - XSS Vulns ● Allow an attacker to inject javascript code into the page. ● Code is executed when the page loads. ● Code is executed on the client machine not the server. Three main types: 1. Persistent/Stored XSS 2. Reflected XSS 3. DOM based XSS XSS - Cross Site Scripting vulns
Exploitation - XSS Vulns ● Try to inject javasript code into the pages. ● Test text boxes and url parameters on the form http://target.com/page.php?something=something Discovering XSS
Exploitation - XSS Vulns ● None persistent, not stored. ● Only work if the target visits a specially crafted URL ● EX http://target.com/page.php?something=<script>alert(“XSS”)</script> Reflected XSS
Exploitation - XSS Vulns ● Persistent, stored on the page or DB. ● The injected code is executed everytime the page is loaded. Stored XSS
Exploitation - XSS Vulns ● Run any javascript code. ● Beef framework can be used to hook targets. ● Inject Beef hook in vulnerable pages. ● Execute code from beef. Exploiting XSS
Preventing XSS Vulns ● Minimize the usage of user input on html. ● Escape any untrusted input before inserting it into the page. Char Result & → &amp; < → &lt; > → &gt; " → &quot; ' → &#x27; / → &#x2F; →https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Zed Attack Proxy ZAP ● Automatically find vulnerabilities in web applications. ● Free and easy to use. ● Can also be used for manual testing.

Recommended

Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
n|u - The Open Security Community
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
Bakry3
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 

Recommended

Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
n|u - The Open Security Community
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
Bakry3
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Mayhem malware
Mayhem malwareMayhem malware
Mayhem malware
Akash Deep
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
Vedran Krivokuca
 
"13 ways to run web applications on the Internet" Andrii Shumada
"13 ways to run web applications on the Internet" Andrii Shumada"13 ways to run web applications on the Internet" Andrii Shumada
"13 ways to run web applications on the Internet" Andrii Shumada
Fwdays
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
CNIT 124: Ch 8: Exploitation
CNIT 124: Ch 8: ExploitationCNIT 124: Ch 8: Exploitation
CNIT 124: Ch 8: Exploitation
Sam Bowne
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
Positive Hack Days
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
Positive Hack Days
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
Royce Davis
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
Gerald Villorente
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
Gerald Villorente
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
misteraugie
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University of Engineering & Technology, Jamshoro
 

More Related Content

Similar to Web Application Penetration Testing.pdf

Mayhem malware
Mayhem malwareMayhem malware
Mayhem malware
Akash Deep
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 

Similar to Web Application Penetration Testing.pdf (20)

I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Mayhem malware
Mayhem malwareMayhem malware
Mayhem malware
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
"13 ways to run web applications on the Internet" Andrii Shumada
"13 ways to run web applications on the Internet" Andrii Shumada"13 ways to run web applications on the Internet" Andrii Shumada
"13 ways to run web applications on the Internet" Andrii Shumada
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
CNIT 124: Ch 8: Exploitation
CNIT 124: Ch 8: ExploitationCNIT 124: Ch 8: Exploitation
CNIT 124: Ch 8: Exploitation
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Recently uploaded (20)

Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 

Web Application Penetration Testing.pdf

  • 2. What is a Website How to hack a Website? DNS server Facebook.com 195.44.2.1 Html Website ● Computer with OS and some servers. ● Apache, MySQL ...etc ● Contains web application. ● PHP, Python ...etc ● Web application is executed here and not on the client’s machine 195.44.2.1
  • 3. What is a Website ● An application installed on a computer . → web application pentesting ● Computer uses an OS + other applications → server side attacks. ● Managed by humans → client side attacks. How to hack a Website?
  • 4. Information Gathering ● IP address. ● Domain name info. ● Technologies used. ● Other websites on the same server. ● DNS records. ● Unlisted files, sub-domains, directories.
  • 5. 1. Whois Lookup - Find info about the owner of the target. → http://whois.domaintools.com/ 2. Netcraft Site Report - Shows technologies used on the target. → http://toolbar.netcraft.com/site_report?url= 3. Robtex DNS lookup - Shows comprehensive info about the target website. → https://www.robtex.com/ Information Gathering
  • 6. ● One server can serve a number of websites. ● Gaining access to one can help gaining access to others. To find websites on the same server: 1. Use Robtex DNS lookup under “names pointing to same IP”. 2. Using bing.com, search for ip: [target ip] Information Gathering Websites on the same server
  • 7. Information Gathering ● Subdomain.target.com ● Ex: beta.facebook.com Knock can be used to find subdomains of target 1. Download it > git clone https://github.com/guelfoweb/knock.git 2. Navigate to knock.py. > ce knock/knock.py 3. Run it > python knock.py [target] Subdomains
  • 8. Information Gathering ● Find files & directories in target website ● A tool called drib. > dirb [target] [wordlist] [options] For more info run > man dirb Files + Directories
  • 9. Exploitation ● Simples type of vulnerabilities. ● Allow users to upload executable files such as php. Upload a php shell or backdoor, ex: weevly 1. Generate backdoor > weevly generate [passord] [file name] 2. Upload generated file. 3. Connect to it > weevly [url to file] [password] 4. Find out how to use weevly > help File Upload Vulns
  • 10. Exploitation ● Allows an attacker to execute OS commands. ● Windows or linux commands. ● Can be used to get a reverse shell. ● Or upload any file using wget command. ● Code execution commands attached in the resources. Code Execution Vulns
  • 11. Exploitation ● Allows an attacker read ANY file on the same server. ● Access files outside www directory. Local File Inclusion
  • 12. Exploitation ● Similar to local file inclusion. ● But allows an attacker read ANY file from ANY server. ● Execute php files from other servers on the current server. ● Store php files on other servers as .txt Remote File Inclusion
  • 13. Mitigation 1. File Upload Vulns - Only allow safe files to be uploaded. 2. Code Execution Vulns: ● Don’t use dangerous functions. ● Filter use input before execution. 3. File inclusion: ● Disable allow_url_fopen & allow_url_include. ● Use static file inclusion.
  • 14. Exploitation - SQL Injection ● Most websites use a database to store data. ● Most data stored in it (usernames, passwords ..etc) ● Web application reads, updates and inserts data in the database. ● Interaction with DB done using SQL. What SQL ?
  • 15. Exploitation - SQL Injection 1. They are everywhere. 2. Give access to the database → sensitive data. 3. Can be used to read local files outside www root. 4. Can be used to log in as admin and further exploit the system. 5. Can be used to upload files. Why are they so dangerous
  • 16. Exploitation - SQL Injection ● Try to break the page. ● Using ‘and’, ‘order by’ or “ ‘ ”. ● Test text boxes and url parameters on the form http://target.com/page.php?something=something Discovering SQLi
  • 17. Exploitation - SQL Injection ● Tool designed to exploit sql injections. ● Works with many db types, mysql, mssql ...etc. ● Can be used to perform everything we learned and more! > sqlmap --help > sqlmap -u [target url] SQLmap
  • 18. Preventing SQLi ● Filters can be bypassed. ● Use black list of commands? Still can be bypassed ● Use whitelist? Same issue → Use parameterized statements, separate data from sql code.
  • 19. Exploitation - XSS Vulns ● Allow an attacker to inject javascript code into the page. ● Code is executed when the page loads. ● Code is executed on the client machine not the server. Three main types: 1. Persistent/Stored XSS 2. Reflected XSS 3. DOM based XSS XSS - Cross Site Scripting vulns
  • 20. Exploitation - XSS Vulns ● Try to inject javasript code into the pages. ● Test text boxes and url parameters on the form http://target.com/page.php?something=something Discovering XSS
  • 21. Exploitation - XSS Vulns ● None persistent, not stored. ● Only work if the target visits a specially crafted URL ● EX http://target.com/page.php?something=<script>alert(“XSS”)</script> Reflected XSS
  • 22. Exploitation - XSS Vulns ● Persistent, stored on the page or DB. ● The injected code is executed everytime the page is loaded. Stored XSS
  • 23. Exploitation - XSS Vulns ● Run any javascript code. ● Beef framework can be used to hook targets. ● Inject Beef hook in vulnerable pages. ● Execute code from beef. Exploiting XSS
  • 24. Preventing XSS Vulns ● Minimize the usage of user input on html. ● Escape any untrusted input before inserting it into the page. Char Result & → &amp; < → &lt; > → &gt; " → &quot; ' → &#x27; / → &#x2F; →https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • 25. Zed Attack Proxy ZAP ● Automatically find vulnerabilities in web applications. ● Free and easy to use. ● Can also be used for manual testing.