Back to all activities

Web Vulnerability Assessment

Summary

Organizational websites are often a central part of their work, but resource constraints can leave them vulnerable to a wide variety of attacks, from simple DDoS (Distributed Denial of Service) attacks to being leveraged for online scams and malicious advertisin to targeted distruction and subversion. Insecure websites can even be used in "watering hole" attacks where malware is implanted into the site to intentionally target the website's audience.

This activity provides a SAFETAG auditor with a suite of processes and tools to investigate organization and project websites for potential vulnerabilities. There are multiple ways to do this, from passive to more active scanning. SAFETAG takes great care to take a primarily passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. Care should be taken to review operational security concerns, work closely with the organization, and pursue a minimal approach focused on the priorities of the organization. See also the Vulnerability Scanning activity for additional tools and approaches useful for investigating outside of the website itself the server level.

Considerations

    • Begin with passive techniques and consider if more detail is necessary (e.g. would simply upgrading the CMS solve multiple problems). Remember that the point is to create a clear, simple path towards security, not a comprehensive report on every possible vulnerability
    • Seek explicit permission for vulnerability scanning - NOTE: The organization might not be in a position to give you meaningful “permission” to carry out an active remote assessment of "cloud services" used within the organization.
    • Agree on the site(s) to scan and determine the intensity of the process
    • Ensure documented permission and schedule an appropriate time with the site host.
    • In situations where the auditor is doing this work remotely it is important to only run "safe" tests that have no possibility of causing damage to the website. Be very careful about which automated scans you run to ensure that no aggressive or potentially damaging tests are included.
    • Understand, discover and review the backup options the website has before starting the audit process.

Walkthrough

    Performing web vulnerability assessment can be done in different ways, using different tools and having different results. Choosing any of these steps or guides must not confuse an auditor, but instead, provide a broader scope which should help them finding vulnerabilities as many as they can.

    These vulnerabilities can range from:

    • Web Server/OS level vulnerabilities
    • Access control vulnerabilities
    • Application-specific vulnerabilities
    • Misconfiguration
    • SQL Injection
    • Cross-site Scripting
    • Directory Traversal
    • Failure to restrict URL Access
    • Insufficient Transport Layer Protection
    • LDAP Injections
    • Malicious Codes
    • Leaked information

    Before pursuing any of these more active scans, review outputs from passive reconnsaisance, DNS history and current information, and (if relevant) CMS version checking. This guide covers a small subset of web vulnerability scanning tools, a more comprehensive list is available at https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools which may provide approaches better suited to specific situations.

    OpenVAS, covered in the vulnerablity scanning activity, also includes Wapiti, which can help to detect many of the above common vulnerablitites.


    Variant: Manual Testing with Burp (Active)

    Introduction

    According to Burp's official documentation, "Burp Suite is an integrated platform for performing security testing of web applications. It is not a point-and-click tool, but is designed to be used by hands-on testers to support the testing process. With a little bit of effort, anyone can start using the core features of Burp to test the security of their applications. Some of Burp's more advanced features will take further learning and experience to master." To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

    Requirements

    Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

    All of this investment is hugely worth it - Burp's user-driven workflow is by the far the most effective way to perform web security testing, and will take you way beyond the capabilities of any conventional point-and-click scanner. Burp is intuitive and user-friendly, and the best way to start learning is by doing. These steps will get you started with running Burp and using its basic features. You can then read on deeper into the documentation to become more proficient in using this supremely powerful tool.

    Burp Suite contains various tools for performing different testing tasks. The tools operate effectively together, and you can pass interesting requests between tools as your work progresses, to carry out different actions.

    To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

    Burp's Getting Started Documentation is quite detailed and useful, and strongly recommends launching Burp from the command line for better control. In specific, it recommends assigning the amount of memory you wish to dedicate to burp:

    Requirements

    Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

    Launching Burpsuite

    With Java installed, on some platforms you may be able to run Burp directly by double-clicking the Burp JAR file. However, it is preferable to launch Burp from the command line, as this gives you more control over its execution, in particular the amount of memory that your computer assigns to Burp. To do this, in your command prompt type a command like:

    java -jar -Xmx1024m /path/to/burp.jar
    

    where 1024 is the amount of memory (in Mb) that you want to assign to Burp, and /path/to/burp.jar is the location of the Burp JAR file on your computer.

    The troubleshooting help can help if Burp doesn't appear shortly.

    Setting up your environment

    • Verifying Scope/Target:

      • Always check that you have the right URL/Domain before starting. Last thing we wanted to happen is to scan a different target that is out of our scope!
    • Setting up your browser

      • For Firefox:
      • Paste about:preferences#advanced this in your URL, and click Settings left of Connection
      • Click Manual proxy configuration and enter localhost under HTTP Proxy, with Port set to: 8080
      • Check Use this proxy server for all protocols
      • For Chrome:
      • Paste chrome://settings/system then click Open proxy Settings
      • This will open the Network Setting* windows in Kali. Click **Network proxy and set Method to Manual
      • Set HTTP Proxy to 127.0.0.1 with Port valued at 8080
      • Configure the rest of settings with following values above (HTTPS, FTP Proxies, and Socks Host)
    • Setting up Socks Proxy (Optional)

      • In some cases, you will be required to scan from an approved testing environment or a specific network/IP range. In this case, you have to configure Socks Proxy for your assessment.
      • Verify your IP. Take note of your current IP address. (WhatismyIP.com)
      • To setup your Socks Proxy, we can do this by connecting via SSH to our server:
      • ssh –D 9292 –l [email protected]_name/ip
      • Once authenticated, configure Burpsuite to route it's traffic to our outbound SSH tunnel.
      • From Options Tab, click Connections sub-tab and scroll down to Socks Proxy
      • In Socks Proxy host, type localhost. and under Socks Proxy port, type 9292
      • Then check Use SOCKS proxy button
      • You can again check your IP address to verify if your configuration is correct.

    Testing Burpsuite Configuration

    NOTE: Scanning web applications without the owner's permission is potentially illegal. It is important that you test Burpsuite on your own web applications, or on a controlled environment. There are some publicly available websites that are insecure by default to be used for testing and learning purposes. Among these were:

    (You can use these sites to get familiar with Burpsuite, and performing the following excerices in this guide.)

    Intercepting Request

    • To start intercepting traffic to and from your target domain/URL, in your configured browser, enter the the target domain, and hit enter.
    • On your Burpsuite instance, under Proxy Tab, and sub-tab Intercept, make sure that the Intercept button is on.
    • If it captures the request from your Firefox browser, it means that your configuration is correct.
    • Click Forward and the request will be forwarded to the server/target and the next sub-tab HTTP History will now start to generate some contents, each time you open a link, or a page within the target domain.

    Adding Target/Scope

    • Adding your target into scope is important so you won't miss, or even scan URLs that are not included in your list of targets.
    • To add the target to your scope, right-click the domain/website, then select Add to Scope
    • Burp will now tell you if you want ot stop sending out-of-scope items in your HTTP history tab and other Burp Tools - click Yes.
    • This will now appear in your Target tab, and under Scope sub-tab.
    • To add subdomains into your scope, you can use regex: .*\.test\.com$

    Managing Burp Projects

    • Managing burpsuites project will depend on the version you are using. Some features may not be available for free version of burp, but are only available for Pro Version. See burp's documentation for managing projects here
    • Selecting project type:

      • Temporary project - Quick tasks, no need to save data
      • New project on Disk - Creates new project and stores it on disk on a "Burp project file"
      • Open existing project - Opens recent existing project from a "Burp project file". Scanners & spiders are paused.
    • Selecting Configuration

      • Burp Defaults - BurpSuite's default options
      • Use options Saved within project - Only available when reopening an existing project. It uses the options saved from the previous project
      • Load from a configuration file - Opens a project using the options contained on a Burp Configuration File

    NOTE: According to BurpSuite documentation, "If you open an existing project that was created by a different installation of Burp, then Burp will prompt you to decide whether to take full ownership of the project.

    This decision is needed because Burp stores within the project file an identifier that is used to retrieve any ongoing Burp Collaborator interactions that are associated with the project. If two instances of Burp share the same identifier in ongoing work, then some Collaborator-based issues may be missed or incorrectly reported. You should only take full ownership of a project from a different Burp installation if no other instance of Burp is working on that project."

    Since that Burpsuite is an advance tool for testing web applications, This guide will cover most of the basic testing activities for Burpsuite. To learn more of the advance features, it is important that you have a licensed version.

    Basic BurpSuite Testing Excercises:

    Attacking web application using simple payload set (Bruteforce attack):

    • Verify that your Burp is working

      • You must first try to test if your Burp and browser are both configured
    • Login page of target application

      • Now try visiting any login page of your target web application (you can use any test site mentioned above)
    • "Intercept On" - Make sure that you have your burpsuite's intercept function set to "ON".

      • Before you click "ENTER" to submit your sample credentials, you can intercept web traffic request from your browser to the server under Proxy > Intercept tab, then "Intercept" button is set to "ON".
    • Review contents of the requests under Proxy > Intercept > Raw

      • On the Raw tab, Once you see the "POST /login.php" request of your browser to the web application server, select ALL and right-click on the selected/highlighted texts and select Send to Intruder
    • Now under Intruder > number tab > Target uncheck "Use HTTPs".
    • Now click under Intruder > number tab > Position to view all replaceble variables.
    • Try looking for email and pass,

      • You can either change your variable for email and pass for earch or just include ONE variable. For this exercise, we will use the pass variable.
    • Now under Intruder > Payloads

      • You can define here the number of payload sets depdening on your attack type (for our case, since we only have 1, let's use 1)
    • Now below the options Payload Sets, you can see Payload Options where you can add, Paste, add from list strings that you can use as your payload.
    • After typing your list of strings or passwords, let's go to Positions tab, and on the right side of Payload Options click Start Attack
    • After clicking "Start Attack" it will open a window of results usually your HTTP responses codes.

    Take note of these errors to see how the target web application respond when given certain types of strings.

    Setting up your environment

    Selecting a Project

    Selecting a Configuration

    Opening a Project From a Different Burp Installation

    Display Settings

    The Basics of Using Burp


    Variant: OWASP ZAP (Active)

    OWASP ZAP allows an auditor to quickly identify common web vulnerabilities using the OWASP framework - either by a relatively intense spidering of the website or through a more tailored use of the proxy functionality of the tool.

    OWASP ZAP provides a highly configurable tool to test for common website vulnerabilities. In addition to supporting organizational change to support general best practices for websites, OWASP can expose more specific vulnerabilties that may warrant action above and beyond general best practice work.

    For a website that can be expected to withstand a dedicated spidering of its content, the automated mode will dig through and expose common vulnerabilities. The tool itself is relatively easy to use.

    For more delicate sites, private sites, or other situations, OWASP can also proxy your web browser and test the pages you click through.

    Quick Guide Setting up OWASP Zaproxy Scanner:

    1. Download the latest version of Zaproxy from: https://github.com/zaproxy/zaproxy/wiki/Downloads
    2. After installation, you will be brought into the OWASP Zaproxy's Session management page.

      • Yes, I want to persist this session with name based on the current timestamp
      • Yes, I want to persist this session but I want to specify the name and location
      • No, I don't want to persist this session at this moment in time
      • Remember my choice and do not ask me again

    Note: By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.

    ZAP User Interface:

    The ZAP user interface consist of the following options:

    Options Description
    Menu Bar Provides access to many of the automated and manual tools
    Toolbar Includes buttons which provide easy access to most commonly used features
    Tree Window Displays the Sites tree and the Scripts tree
    Workspace Window Displays requests, responses, and scripts and allows you to edit them
    Information Window Displays details of the automated and manual tools
    Footer Displays a summary of the alerts found and the status of the main automated tools

    Running Assessment:

    Before you can run your assessment in ZAP, you need to configure your browser first to use ZAP as it's proxy. By default, ZAP uses:

    Address: localhost Port: 8080

    Note: Remember that Burpsuite also uses the same Address and port no. Be reminded to close any of which application that you are not using.

    Since that ZAP is acting as a proxy between your browser and the web application, the use of SSL(HTTPS) may cause the certificate validation to fail and the connection be terminated. This happen because ZAP encrypts and decrypts traffic sent to the web application using the original web applications certificate. This is done so ZAP can access the plaintext in the request and the response.

    To prevent this, ZAP creates an SSL cert automatically for each host you access, and signed by ZAP's CA certificate. To setup your browser to trust these SSL certs, you need to import and trust the ZAP root CA certificate. Once it's done, the other ZAP certificates signed by it will be trusted as well.

    Keep the self-generated Root CA certificate to avoid creating a vulnerability.

    1. Start ZAP and click Tools -> Options.
    2. On the left pane of the Options window, click Dynamic SSL Certificates.
    3. On the right pane, click Save.
    4. Select a location to save the certificate to and click Save. Be sure to retain the .cer file extension.

    To install the ZAP Root CA certificate as trusted root certificate for Windows/Chrome:

    1. Browse to the certificate file location.
    2. Right-click on the certificate file and then click Install Certificate.
    3. In the Certificate Import Wizard, select either Current User or Local Machine as the scope of the certificate, then click Next.
    4. Select Place all certificates in the following store.
    5. Click Browse and select Trusted Root Certificate Authorities or Trusted Root Certificates (depending on your version of Windows) as the certificate store, then click Next.
    6. Click Finish.
    7. Review the security warning about trusted root certificates and click Yes if the warning is accepted.

    To verify that the ZAP Root CA certificate is installed:

    1. Open Control Panel and click Internet Options.
    2. On the Content tab, in the Certificates section, click Certificates.
    3. On the Trusted Root Certificates tab, verify that the OWASP ZAP Root CA certificate is listed.

    If you are testing using Firefox, you need to install the ZAP Root CA certificate a second time into Firefox’s own certificate store.

    To install the ZAP Root CA for Mozilla Firefox:

    1. Start Firefox and click Preferences.
    2. On the Advanced tab, click the Encryption tab.
    3. Click View Certificates.
    4. On the Trusted root certificates tab, click Import and select the ZAP Root CA file you saved previously.
    5. In the Import wizard, select Trust this CA to identify web sites.
    6. Click OK.

    Additional OWASP ZAP references:


    Variant: Nikto Web Scanner (Active)

    Introduction

    Nikto is a tool that comes with Kali Linux. It's an easy tool to use in performing web vulnerability scan. According to Nikto's main page:

    "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated"

    In your Kali Linux you can use Nikto by:

    1. Go to Applications > Web Application Analysis > Web Vulnerability Scanners > Nikto
    2. Go to Applications > System > Root Terminal

    Using Nikto to Scan Web Application

    Nikto Command Description
    nikto -Display V -h http://targetdomain.com Execute a simple scan. -Display to Display background process, V for verbose.
    nikto -Display V -o scan_result.html -Format html -h http://targetdomain.com Saving Nikto's output into the file result.txt. You can specify the format of the output file using the -Format option (csv, html, msf, xml, txt)
    nikto -userproxy -h http://targetdomain.com Scanning via proxy. Edit Nikto's configuration file in /etc/nikto.config.txt, and edit the values of PROXYHOST=XXX.XXX.XXX.XXX and PROXYPORT=XXXX to the corresponing values of your proxy.
    nikto -Tuning (x) N -h http://targetdomain.com Tuning options will control the test that Nikto will use against a target. Replace N with the number option below. Enable x if using only single option. The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.
    1. File Upload
    2. Interesting File / Seen in logs
    3. Misconfiguration / Default File
    4. Information Disclosure
    5. Injection (XSS/Script/HTML)
    6. Remote File Retrieval - Inside Web Root
    7. Denial of Service
    8. Remote File Retrieval - Server Wide
    9. Command Execution / Remote Shell
    10. SQL Injection a. Authentication Bypass b. Software Identification c. Remote Source Inclusion x. Reverse Tuning Options (i.e., include all except specified)


      Variant: Reputation and Phishing Domain Checks

    Search for the existence of domains which impersonate the spelling and appearance of the organization's name or website. These websites can be used in phishing campaigns to convince a victim that they are interacting with a legitimate website. They can also be used to house malware or spread disinformation and damage the reputation of an organization.

    Search for the organization's existing domain name using the command line utility DNStwist or utilise a hosted version of the tool at https://dnstwist.it/.


Recommendation

    Core recommendations are to always use well-supported, open source tools, and to minimize the use of interactive sites if not actually necessary. Removal of unused tools, demos, and default systems is highly encouraged.

    For interactive sites, content management systems and other frameworks, make sure the site is actively maintained, updated to the latest software and security patches regularly, and that the user permissions are reviewed periodically.

    Many automated scanning and reporting tools provide results of security problems it finds with differing levels of severity (https://code.google.com/p/zaproxy/wiki/HelpStartConceptsAlerts). Make special note of "High" severity issues and research the vulnerability and and recommendations suggested.