Web App Pentesting: Tools and Techniques for Web Security Auditing
Every pentester has his own tools and techniques for web app security auditing. Sometimes it depends on the type of website being pentested. Here, we'll explore some common tools and techniques that can help us audit web application security.
Detecting web application firewall and other services.
You can start by detecting if there are any web application firewalls in use? Later, determine if there's any way to bypass it.
Recommend tools: fofa.so It is a cyberspace search engine launched by White Hat. It can help researchers or enterprises quickly match network assets by performing cyberspace mapping, for example, analyzing the scope of vulnerability. shodan.io It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports f
rom various web servers. wafw00f This tool allow you to detect and identify what Web Application is in use that is protecting the website.
Many websites uses CloudFlare for their CDN (Content Distribution Network) and to help mitigate DDoS Attacks. For this, it's necessary to get the real IP of the website so that further exploitation can be done and what can be hidden behind CloudFlare.
cloud-buster This tool will help you to resolve CloudFlare and you can get the IP address of the website behind the firewall.
CloudFail Similar to cloud-buster this tool will check for DNS misconfiguration and old database record to help you find hidden IP behind the CloudFlare network.
Whois Record,Reverse IP lookup and DNS enumeration
Whois record can help you to find you info about the target website like database information that stores registered users information. These type of info can be useful for Social Engineering Attack.
The next step should be getting DNS related information such as the mail exchange server, name server, or even getting zone transfer information that can help us find misconfiguration and gather information about the topology of the given network and determine which machines are accessible.
https://securitytrails.com This website will help you to get almost all DNS related information about the website like DNS records, Historical data, A records, MX records etc.
DNSdumpster It's a free domain research tool to discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
CLI tools:amass : In-Depth DNS Enumeration and Network Mapping dnsrecon This is dns enumeration tool to discover various dns related information
Dig , dnsenum, nslookup ( for windows) .
Reverse IP lookup is a technique to find if there's any other website is hosted on the same server, this will help us to find if the website is using any shared hosting or not.
Web Technology Detection
During pentesitng, geting as much information as possible about the organization is very important. For example, information on the website owner, who their employees are, and info on them is also important. LinkedIn is a good source for getting information about the organization so that better social engineering attack strategies can be made.
Raven raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using LinkedIn.
ScrapedIn This tool will help you to scrape LinkedIn without API restrictions for data reconnaissance.
theHarvester This is very popular OSINT tool for gathering names, emails, subdomains, virtual hosts, open ports/banners, and employee names from different public sources of an organization. Scanning Hidden directory Scanning web directory could be a good way to find admin panels of a website if you have got a password using some social engineering attack. This can also help you to get some hidden directories. Recommend tools: DIRB It is a fast web content scanner tool, it can help a pentester to find hidden directory of a website.It works by launching dictionary attack against the target website . dirsearch Another fast web path scanner which work based on dictionary attack.
Subdomain enumeration is important for a web pentest. If the website is using a subdomain for some services and later they stop using it but forgot to remove that subdomain redirection pointing to the website. In this case, the attacker can register the subdomain. Now the attacker can clone the website and can phish users to get their login credentials by adding login forms. Recommend Tools: aquatone : A fast subdomain brute force tool for subdomain enumeration. Sublist3r Similar to aquatone Fast subdomains enumeration tool for penetration testers.
After getting what technology is in use, we can check if there's an outdated version running. If there is an outdated version running then check if there's an exploit available for that version.
Exploit-Database Maintained by Offensive Security This Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software this can help you to get exploits for various outdated vulnerable software.
https://cxsecurity.com Another online search tool for getting exploit of vulnerable software.
Static Code analysis
Vulnerabilities like Injection attack such as SQL Injection, XSS, LDAP injection can happen due to code error in website, Static code analysis is important for checking code error that can help us to find most of the vulnerability in websites for example we should first focus on OWASP top 10 vulnerabilities. OWASP releases list of top 10 vulnerabilities every year which tell what are the most critical vulnerabilities which causing most website attacks.
Buirp suite Burp Suite is a graphical tool for testing Web application security.You can also do code analysis of the websites, manipulate GET-POST request to see how the website is behaving by doing so. This tool also contains intruder functions for intercepting website request and response and later you can also change the response by using the repeater function of this tool.
awesome-burp-extensions This Repo contains some awesome burp plugins for people who want to enhance their burp experience. cobra A source code security auditing tool that supports detection of most of the significant security issues and vulnerabilities in a variety of development language source code. NodeJsScan This is a is a static security code scanner for Node.js applications.