The Tools of A Web

Application

Penetration Tester

Chuck Ben-Tzur CISSP, CISM, CRISC, PMP

October 10, 2019

SecTor 2019

Introduction

• A little about me…

• Provide an overview of some free and available tools that can be used

during a web application penetration test.

• Will be using the following:

• Custom PHP web application (www.dardaleh.com)

• Kali Linux (tools are NOT part of the distribution!)

• NOT Metasploit…

Disclaimer

• The views and opinions expressed in this session are based on MY

experience and testing methodology when using these tools.

• If you disagree, it is likely because…

• You worked on different applications/environment/technology stacks

• You used different testing methodology (different goals, approach)

• You used the tools wrong

User/Client Side Server/System Side

Web Application Testing

INPUT

OUTPUT

Penetration Test and OWASP top 10

OWASP top 10

• A1 - Injection

• A2 - Broken Authentication

• A3 - Sensitive Data Exposure

• A4 - XML External Entities (XXE)

• A5 - Broken Access Control

• A6 - Security Misconfiguration

• A7 - Cross-Site Scripting (XSS)

• A8 - Insecure Deserialization

• A9 - Using Components with Known Vulnerabilities

• A10 - Insufficient Logging & Monitoring

Reconnaissance

Enumeration

Vulnerability Analysis

Exploitation

Reporting

Arachni

• A feature-full, modular, high-performance Ruby framework aimed

towards helping penetration testers and administrators evaluate the

security of modern web applications.

• It is free, with its source code public and available for review.

source: https://www.arachni-scanner.com

Demo #1 (Arachni)

Developer Tools

• Chrome DevTools is a set of web developer tools built directly into

the Google Chrome browser.

• DevTools can help you edit pages on-the-fly and diagnose problems

quickly, which ultimately helps you build better websites, faster.

source: https://developers.google.com/web/tools/chrome-devtools

Demo #2 (Dev Tools)

OWASP ZAP

• OWASP (Open Web Application Security Project) ZAP (Zed Attack

Proxy) is an open-source web application security scanner.

• When used as a proxy server it allows the user to manipulate all of

the traffic that passes through it, including traffic using https.

source: https://en.wikipedia.org/wiki/OWASP_ZAP

Demo #3 (ZAP Proxy)

SecLists

• SecLists is a collection of multiple types of lists used during security

assessments, collected in one place. List types include usernames,

passwords, URLs, sensitive data patterns, fuzzing payloads, web

shells, and many more.

source: https://github.com/danielmiessler/SecLists

SecLists (cont.)

SQLmap

• A penetration testing tool that automates the process of detecting

and exploiting SQL injection flaws providing its user interface in the

terminal.

• In addition to mapping and detecting vulnerabilities, the software

enables access to the database, editing and deleting data, and

viewing data in tables.

source: https://en.wikipedia.org/wiki/Sqlmap

• Uses local storage to create a cache of the collected information.

Demo #4 (SQLmap)

BeEF

• BeEF (Browser Exploitation Framework).

• It is a penetration testing tool that focuses on the web browser

source: https://beefproject.com/

Demo #5 (BeEF)

Things to Consider (Pros)

• Perfect for training and one-time projects

• If running multiple tools - allows for results comparison

• Usually very small footprint (or ability to run without install)

• Most tool provide APIs and can be easily integrated with Continuous

Integration activities – great security value.

• Usually extensible – allowing other user to add/enhance functionality

• You can contribute directly and affect the product direction/functionality

• Can’t beat the price!

Things to Consider (Cons)

• No official ownership and support

• Little quality assurance (bugs, vulnerabilities) and response time

• No guarantee of regular updates (or may be completely abandoned)

• A little harder to use (e.g. library dependencies, command lines,

somewhat limited platforms)

• Limited reporting capabilities (e.g. customized reports)

• Malicious users and hackers have access to these too…

Final Thoughts

• These are tools to complement the follow-up (and manual) work:

• Elimination of False Positive findings (there is no SQL injection if there is no Database!)

• Actual penetration test (following up on the “low hanging fruits”)

• Perform threat modeling, assigning risks and reporting

• There are MORE tools out there (e.g. w3af, Nikto)

• Most tools will do more than one thing (scanning, exploiting, built-in payloads)

• There are some good commercial tools out there (free versions, supported, User Interface)

• Special thanks to Erich Samuel for his input…

Thank You

cbentzur@atominfosec.com