I read a question recently on LinkedIn asking what tools penetration testers used for web application testing and felt that it was probably a question that merited more than the few sentences I put down as an answer. The following tools are for web application testing. This is by no means a complete list, but these are some common tools that are useful and anyone interested in penetration testing should look into understanding.
When we talk about web site penetration testing most people think of scanners like Nessus or Acunetix’s scanner. While these have some merit and I have seen them provide useful information, the best method in my opinion is to test by hand. This does not mean using no tools at all, rather simply not using these automated tools. The following is a list of tools and plug-ins that I find useful. All of the following tools are add-ons for FireFox 2, an appropriate platform for web application testing.
ChickenFoot – This is a great tool since it allows you to run javascript on the page. Much like greasemonkey, you can configure default scripts to run, but the real advantage is having a “javascript console” in the browser that can interact with the DOM. This has saved me a lot of trouble debugging scripts while developing as well as breaking scripts already in place.
LiveHTTPHeaders – This is a great tool for grabbing the request headers and banners that a server sends out. Data such as operating system and apache version can be found as well as a comprehensive list of ALL data that is transfered to your browser at request time.
User Agent Switcher – Normally changing your user agent doesn’t help with penetration testing much, since few sites require you to be using a specific browser or operating system as part of authentication, however; by using the Google Bot’s user agent sites designed for Search Engine Optimization sometimes open their doors for you. If the designer or developer allowed restricted pages to be indexed (I don’t know why they do this, but they do) by the Google Bot, we can now access them.
Tamper Data – This is a brilliant tool that allows you to capture outgoing HTTP requests and modify the data. This makes modifying data in select menus much easier than using javascript to modify the DOM. You can also enter in other fields to the POST array which is sometimes useful if the site is using automated SQL queries based on POST’s contents.
RefControl – Another great add-on. This allows you to customize the referrer you send. Many sites check this to make sure that you are sending data from an allowed page and RefControl can be used to forge this. This is useful when you want to send data from your own web-app to another (for fuzzing) or if you are trying to access another zone of the site without the correct credentials from the previous zone.
Beyond these FireFox add-on I have a few more tricks up my sleeve. The following are not necessarily tools for penetration testing, but they can lead to extra information.
http://www.myipneighbors.com/ – This is a great site that allows you to easily see what other sites sit on the same IP address. This is useful for testing sites on shared hosts where a cross-server hack is possible. This widens your range of vulnerabilities from one site to many. (In some cases I’ve seen IP address with upwards of 700 sites on them.) The site even provides an iFrame so that you can briefly browse the sites and see which look most likely to be useful.
nmap – Most of you are probably asking why a port scanner is on this list, but the fact that nmap can easily determine what version of Apache is running makes it useful. If you were unable to capture the banner from a request before nmap is your next option. You may even be able to find out versions of MySQL and what Operating system is being used. These can be useful for exploits inherent in the background processes of the site.
Finally, I will talk a brief bit about some automated tools that I will use for fuzzing and quick scans. Normally IF I run these, I set them and forget them until I’ve burned myself out and check them only later.
Nessus – This is a great tool for scanning even beyond web applications, but with the features for SQL injection, Cross site scripting, and I believe now even Remote and Local File inclusion vulnerabilities it can provide useful information. If you are doing more than simple Web Application scanning Nessus can provide even more information. Rather than just giving you a listing of ports and services like nmap, Nessus provides information on WHY these are dangerous and how they can be both exploited and fixed. This is great for testing your own network.
Acunetix’s scanner – This scanner will basically fuzz all inputs for Cross Site Scripting holes and report back to you on which, if any, were successful. I have had only moderate success with it, but again as a “set it and forget it” tool while you work by hand it can be useful.
5 Responses to Web Application Penetration Testing… my tools of the trade