Web Application Pentesting WAPT

1. Web Application Penetration
Testing setup
A guide to setup a basic Web Application PenTesting lab environment.
Octogence Tech Solutions
http://octogence.com/

2. Web Application Penetration Testing setup
This guide aims at providing a quick introduction to conducting a Web Application PenTest with
a basic lab setup. This is not a comprehensive course and should be used only as a basic
tutorial. The tools and technologies mentioned in this guide are open source or freeware.
Legal Issues: Before conducting any kind of testing assessment one must take permission from
the owner of the application in written. One common mistake people make while performing
Web Application PenTest is to also test the host running the application, without the
permission of the owner of the hosting system. Do not conduct any kind of test without explicit
permission of the owner.
Web Applications are complex piece of Software and so is their security. With ever changing
technologies and new ones being frequently introduced, vulnerabilities and attack vectors are
also increasing day by day. Comprehensive testing which follows a hybrid approach is a must to
identify vulnerabilities rooted deeply into the application. Let's go ahead and understand how
to setup an environment and use it to perform WAPT.
H/W Requirements: A machine with minimum 2 GB RAM and a 2.0+ GHz processor would be
good. Network card for network connectivity would also be required.
S/W Requirements: .NET, Java, Python (2.7), Perl, Virtualization Environment (Virtual Box,
VMware player)
Tools of the trade:
OS: Windows/Mac/Linux
Browsers: Internet Explorer, Firefox, Chrome
Application Proxy/Scanner: Burp Suite free, ZAP, IronWasp, SQLMap, SSLScan, Nikto,
Netsparker Community
Hosting Environment: XAMP, IIS
Miscellaneous: Notepad++, Greenshot, Browser Extensions
To start with the basics first we need a base OS , we will be using Windows 7 for ease of use
and software compatibility.
*PenTesting distros such as Kali Linux and Samurai WTF are available to perform security assessments, but as they
contain a huge list of tools and scripts, people starting in this domain find it difficult to directly go to them and
learn. Once you are comfortable with this setup it would definitely be a good option to move to them. If desired a
virtual environment setup can be used along with the base OS.

3. Let's setup our base environment:
 Install Firefox and Chrome (IE is already installed). We need all three browsers as
they use different engines and act slightly different in the way they handle
applications.
 Download and install Java, Python (2.7), Perl and .Net
 Download and Install XAMP server and IIS services.
Now comes the turn of the tools required for testing:
 Download and install Burp Suite free (Java required), ZAP (Java required),
Netsparker Community (.Net 4 required)
 Download and extract SQLMap (Python required), SSLScan and Nikto (Perl
required)
Last but not the least, some miscellaneous tools:
 Download and install Notepad++ and GreenShot
 Install Browser extensions: FroxyProxy, Wappalyzer, Shodan
Our environment is setup and now we can move forward.
Our first step is to configure and check connectivity to the target application.
 If the testing environment is already hosted then we can simply open the
application through its URL and check accessibility.
 Else if the source code is provided we can configure the application in our local
server environment (XAMP/IIS) and then check if it is working fine or not.
 Once the accessibility is verified we need to check if the credentials provided
(Gray Box testing) are working fine or not. We can also create test accounts in
case application provides such functionalities.
Now as the application is accessible our first job is to perform information gathering.
 We can use wappalyzer addon to identify technologies being used.
 Google dorks to identify sensitive paths and files (E.g. site:example.com
filetype:swf).
 Use PunkSpider to find previously known vulnerabilities.
 Identify open ports and banners using Shodan addon.
 Identify core functionalities (E.g. CC Payment)

4. Figure 1. Wappalyzer Result
After this we can go ahead to run an automated scan on the application.
 To scan the application we will be using Netsparker Community. There are many
commercial options available for this such as IBM AppScan, Netsparker
Commercial, HP WebInspect etc.
 In Netsparker we can provide the URL of the application to be tested and start
the scan.
 Some advanced featured present in commercial version allow providing
credentials, cookies, generate report etc.
Figure 2. Netsparker Community

5. Note down the details related to the vulnerabilities discovered.
 We can use Notepad++ for notes and take screenshots (if required) using
Greenshot.
 In the vulnerability details the main components are (available as per
vulnerability): Vulnerability name and Description, URL, Parameter, Payload,
Steps to reproduce, HTTP Request, HTTP Response and Mitigation.
There are also many Open Source and free tools available to perform WAPT.
 To identify issues related to web server use Nikto.
 For applications using SSL/TLS we can use SSLScan or SSLTest.
 To test for SQL injection vulnerabilities we can use SQLMap
Figure 3. Qualys SSL Labs
Now comes the turn of manual testing
 Though automated scan provides comprehensive coverage, yet manual testing is
a must to identify business logic flaws and newly discovered attack vectors.
 To perform manual assessment we require an application level proxy. For this we
have multiple options such as Burp Suite, OWASP ZAP, IronWasp, Charles etc.
 As these are application proxy, they run a listener on the local system. For
example Burp Suite listens on port 8080 by default. So now we can use
FoxyProxy addon to create profiles for Burp Suite and ZAP for easy switching.
 Once the tools are running and the proxy is configured in the browser we can
open the application in the browser and see the raw request-response in the
tool.

6.  Now as the URL is listed in the target section (Burp Suite/ZAP) we can go ahead
and spider them, run scans on them and perform various manual tests to identify
vulnerabilities and also validate the issues discovered in automated scan. The
information gathered initially can be very helpful here.
Figure 4. Burp Suite configured in browser
Once the testing is complete we come to the last but important part, reporting.
 The report is what is produced as the end result. Clients only see the result and
not the efforts so the report needs to reflect what all issues have been identified
clearly.
 The report should contain details such as the description of the vulnerability,
technical details, steps to reproduce, Proof of Concept and specially Mitigation.
Things to keep in mind while performing a web application pentest:
 Perform test cases which might block access, in the end (e.g. login brute force).
 When performing an automated scan check number of threads to avoid DOS like
situation.
 Inform the client at once if a critical vulnerability is identified.
Some Common Web Application vulnerabilities:
 Cross Site Scripting (XSS)
 SQL Injection
 Cross Site Request Forgery (CSRF)
 Business Logic Issues (E.g. Price tampering, Multiple Coupon usage, Negative
balance transfer etc.)

7. Resources:
 Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Page
 OWASP Testing Guide v4
https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
 Web Application Security Consortium
http://www.webappsec.org/
 SecDocs
http://www.secdocs.org/
 Wordpress Vulnerability Database
https://wpvulndb.com/

8. About Octogence Tech Solutions
Octogence is an Information Security service provider which focuses on business centric
security assessment. Our aim is to help organizations to be more secure in the cyber space so
that they stop worrying about data breaches and can focus on their business. Our highly
qualified, experienced and motivated team aims at providing our clients the service and quality
they expect. We have the expertise as well as the flexibility to provide customized solution
depending upon the client requirements.
Our Services:
 Web Application Pentesting
 Mobile Application Pentesting
 Network Pentesting
Some companies in which our team has previously discovered vulnerabilities:
Some products we have helped to be more secure:
For any information and support contact:
 Chandan Agarwal Sales Executive +91-9971773414 chandan@octogence.com
 Sudhanshu Chauhan Principal Consultant +91-9971658929 sudhanshu@octogence.com
*Each logo is the trademark property of its respective owner(s). They appear only for representative and
illustrative purposes and do not reflect affiliation.