By: Babak Esmaeili
October 12, 2016
Practical Web Application Penetration Testing Series - Chapter 3b
By: Babak Esmaeili
October 12, 2016
In the last chapter, we set up plugins needed for burp suite. Now we are going to start scanning http://testphp.acunetix.com/ with burp suite.
Run burp scanner and set the browser proxy to it. Then, in the URL, go to the target site and you see that burp captures the request for us.
Hints: At this point, we should know which strategy we are going to use. Some pentesters like doing penetration testing manually and they just check every suspected link with burp scanner for specific vulnerabilities the think may exist. However, I am going to perform an automatic scanning with burp suite.
Some others may prefer using other scanners like Acunetix or Netsparker but
If we talk about commercial tools I prefer to use Netsparker as it has many attacking tools plugins.
Back to our burp suite.click on intercept is off and go to target tab at the top.
On the right, you see a list of URLs, but the one we are going to perform scanning is http://testphp.acunetix.com/. So, right click on it and from menu select "Add to scope." This is for that we want to use some extra plugins in the future so we distinct our URL and separate it from others in the list.
Again right click on http://testphp.acunetix.com/ URL and this time select "Spider this host."
Now click on "spider tab."
You can see that during spider burp asks us for manual input,you can enter username and password or any info you want or just press Submit form without entering.
We press "submit form" without entering again and again.
The spider is now spidering http://testphp.acunetix.com/ website and finds each link it has.
Press target tab again and you can see spider has found many links and subfolders of the website.
Right click on the target URL and select Actively scan this host.IN the Active scanning wizard dialog we set some options for running our scan .
First, we check Remove items with no parameters since as we don’t want burp to scan links that have no parameters.
Hint: the links that have no parameters are usually not used for scanning as wherever there is not an option from user input in the site we can not find vulnerabilities [ But not always ].
Usually, these kinds of links have a source of static data such as js files or static web pages. [Where there is no input from the user there may be no vulnerability].
We also check Remove items with the following extensions and we can put more extensions in the list, for example we add .bmp (bitmap files).
We click on Next
And then ok .
In the scanner tab -> Scan queue we see that scanning started .
We should wait until scanning finishes .during scanning if we go to target tab we can see issues that scanner finds in the Issues window.
If we click on an issue, in the Advisory we can see Issue detail of every issue burp suite has found.
The first thing we do after finishing scan id to save the scan. For this we go to the main menu, click on burp and select "Save state." The "save state wizard" appears.
We check save in-scope item only [we added this to scope before] and click next.
We can input the password for encrypting our state but I just click on next. The other options are clear.
Hit next, then give it a name and save it.
Hit next again, and done.
This way ,we can consider the details we scanned whenever we want.
In the next section of this chapter, we use more techniques to retest the
issues we found and ensure they are real issues. After that, in chapter 4 we are going to exploit the issues found and the techniques of exploitation.
We will see how to bypass WAF and make a final report. In chapter 5 we repeat testing in manually advanced mode :testing URL rewrites and injections and inclusions.Thanks everybody