Ready to Start Your Career?

Web App Pentesting Tools for Security Audits

Shaquib Izhar's profile image

By: Shaquib Izhar

January 11, 2019

Web App Pentesting: Tools and Techniques for Web Security Auditing

 Every pentester has his own tools and techniques for web app security auditing. Sometimes it depends on the type of website being pentested. Here, we'll explore some common tools and techniques that can help us audit web application security. 
 
Detecting web application firewall and other services.
 
You can start by detecting if there are any web application firewalls in use? Later, determine if there's any way to bypass it. 
 
Recommend tools fofa.so It is a cyberspace search engine launched by White Hat. It can help researchers or enterprises quickly match network assets by performing cyberspace mapping, for example, analyzing the scope of vulnerability.  shodan.io It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports from various web servers. wafw00f  This tool allow you to detect and identify what Web Application is in use that is protecting the website. 
 
Bypassing Cloudflare
 
Many websites uses CloudFlare for their CDN (Content Distribution Network) and to help mitigate DDoS Attacks. For this, it's necessary to get the real IP of the website so that further exploitation can be done and what can be hidden behind CloudFlare.
 
Recommend tool:  
cloud-buster This tool will help you to resolve CloudFlare and you can get the IP address of the website behind the firewall. 
 
CloudFail Similar to cloud-buster this tool will check for DNS misconfiguration and old database record to help you find hidden IP behind the CloudFlare network. 
 
Whois Record,Reverse IP lookup and DNS enumeration 
 
Whois record can help you to find you info about the target website like database information that stores registered users information. These type of info can be useful for Social Engineering Attack.
 
Recommend Tools : https://www.whois.com/whois
 
The next step should be getting DNS related information such as the mail exchange server, name server, or even getting zone transfer information that can help us find misconfiguration and gather information about the topology of the given network and determine which machines are accessible.
 
Recommend Tools
Online resource: 
https://securitytrails.com This website will help you to get almost all DNS related information about the website like DNS records, Historical data, A records, MX records etc. 
 
DNSdumpster It's a free domain research tool to discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
 
CLI tools:amass : In-Depth DNS Enumeration and Network Mapping
dnsrecon This is dns enumeration tool to discover various dns related information
Dig , dnsenum, nslookup ( for windows) . 
 
 Reverse IP lookup is a technique to find if there's any other website is hosted on the same server, this will help us to find if the website is using any shared hosting or not.  
 
Recommend tools
Yougetsignals This website contain lot of online resource like reverse IP lookup, Reverse E-mail lookup etc.  https://hackertarget.com/reverse-ip-lookup Similar to yougetsignal will perform reverse IP lookup
 
Web Technology Detection 
 
These days websites are using various web technologies like some content management framework ,various JavaScript plugins etc. Knowledge of what web technologies are the target website using can make it easy to find a vulnerability on the website by finding security holes in one of those web technologies that the site is using.  Recommend toolsWappalyzer It is a cross platform tool which can help you to identify technologies that the websites are using. It come in both Firefox and chrome extension.    builtwith.com Similar to wappalyzer this website can help you to identify various running technology on a website . 
Information gathering about the organization   
During pentesitng, geting as much information as possible about the organization is very important. For example, information on the website owner, who their employees are, and info on them is also important. LinkedIn is a good source for getting information about the organization so that better social engineering attack strategies can be made.
 
Recommend Tools:
 
Raven raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using LinkedIn.
 
ScrapedIn This tool will help you to scrape LinkedIn without API restrictions for data reconnaissance.
 
theHarvester This is very popular OSINT tool for gathering names, emails, subdomains, virtual hosts, open ports/banners, and employee names from different public sources of an organization.
 Scanning Hidden directory 
Scanning web directory could be a good way to find admin panels of a website if you have got a password using some social engineering attack. This can also help you to get some hidden directories. Recommend toolsDIRB  It is a fast web content scanner tool, it can help a pentester to find hidden directory of a website.It works by launching dictionary attack against the target website . dirsearch Another fast web path scanner which work based on dictionary attack.  
Subdomain Enumeration 
 
Subdomain enumeration is important for a web pentest. If the website is using a subdomain for some services and later they stop using it but forgot to remove that subdomain redirection pointing to the website. In this case, the attacker can register the subdomain. Now the attacker can clone the website and can phish users to get their login credentials by adding login forms.  Recommend Toolsaquatone : A fast subdomain brute force tool for subdomain enumeration. Sublist3r Similar to aquatone Fast subdomains enumeration tool for penetration testers.
Exploitation
 
After getting what technology is in use, we can check if there's an outdated version running. If there is an outdated version running then check if there's an exploit available for that version. 
 
Recommend Tools:
Exploit-Database Maintained by Offensive Security This Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software this can help you to get exploits for various outdated vulnerable software.
 
Searchsploit Command line version of exploit-db 
 
https://cxsecurity.com Another online search tool for getting exploit of vulnerable software.   
Static Code analysis 
 
Vulnerabilities like Injection attack such as SQL Injection, XSS, LDAP injection can happen due to code error in website, Static code analysis is important for checking code error that can help us to find most of the vulnerability in websites for example we should first focus on OWASP top 10 vulnerabilities. OWASP releases list of top 10 vulnerabilities every year which tell what are the most critical vulnerabilities which causing most website attacks.
 
Recommend tools
 
Buirp suite Burp Suite is a graphical tool for testing Web application security.You can also do code analysis of the websites, manipulate GET-POST request to see how the website is behaving by doing so. This tool also contains intruder functions for intercepting website request and response and later you can also change the response by using the repeater function of this tool. 
 
awesome-burp-extensions This Repo contains some awesome burp plugins for people who want to enhance their burp experience.  cobra A source code security auditing tool that supports detection of most of the significant security issues and vulnerabilities in a variety of development language source code. NodeJsScan This is a is a static security code scanner for Node.js applications.
Schedule Demo