Web application penetration testing methodology
Web application penetration testing methodology
For web application penetration testing, generally divided into three stages: information gathering, vulnerability scanning, and exploitation. Here I am talking about each stage need to do things.
“DSC05476”by dfarrell07 is licensed under CC BY-SA 2.0
Information gathering
In the information collection phase, we need to collect as much information about the target web application as possible, such as the type of script language, the type of server, the structure of the directory, the open-source software used, the database type, all the links page, Frame and so on
The type of scripting language
Common types of scripting languages include: PHP, asp, aspx, jsp and so on
Test Methods
- crawl all links to the site, view suffixes
- direct access to a non-existent page followed by a different suffix test
- View robots.txt to view the suffix
The type of server
Common web servers include: Apache, Tomcat, IIS, Nginx and so on
Test Methods
- View the header, determine the server type
- Judgment based on the error message
- Judge by default page
The structure of the catalog
Understand more directories, you may find more weaknesses, such as directory browsing, code leakage and so on.
Test Methods
- Use the dictionary enumeration directory
- Use the crawler to crawl the entire site, or use a search engine such as Google to get it
- Check if robots.txt is missing
Use the open-source software
If we know the target using the open-source software, we can find the relevant software vulnerabilities directly to the site for testing.
Test Methods
- Fingerprint recognition (there are many open-source fingerprint recognition tools on the network)
Database type
There are different test methods for different databases.
Test Methods
- make the application error, see the error message
- scan the server’s database port
All links to the page
This is similar to the previous get the directory structure, but this is not just to get all the features of the site page, and sometimes can also get to the administrator backup source.
Test Methods
- Use the dictionary to enumerate the page
- Use the crawler to crawl the entire site, or use a search engine such as Google to get it
- Check if robots.txt is missing
Use the frame
Many sites use the open-source framework to quickly develop the site, so the collection of the framework of the site information is also very critical.
Test Methods
- Fingerprint recognition (there are many open-source fingerprint recognition tools on the network)
Vulnerability Scanning
At this stage we are doing the test time to prescribe the right medicine, can not blindly scan, first of all, to determine whether the target application is open-source software, an open-source framework, and then do a deep vulnerability scan.
The exploitation of open source software
Open-source software
Common open-source software are: WordPress, PhpBB, and so on
Open-source framework
Common open-source framework: Struts2, Spring MVC, ThinkPHP and so on
Middleware server
Common middleware servers are: jboss, tomcat, weblogic and so on
Database services
Common database services: mssql, mysql, oracle, redis, Sybase, MongoDB, DB2, etc.
For open-source software testing methods
- through the fingerprint identification software to determine the version of open-source software information for different versions of the information to open the vulnerability database to find the corresponding version of the vulnerability to test
- for the default background login page, database service port authentication and other entries can be a simple violent crack, the default password to try to operate
- use open source vulnerability discovery tool for its vulnerability scanning, such as WPScan
On the application of independent development
Manual test
At this stage, we need to manually test all functions that interact with the user, such as message, login, order, exit, return, payment, and other operations
Software scanning
Use free software scanning, such as AppScan, HP WebInspect, Netsparker, BurpSuite and so on
Exploit
This stage is the final stage of web penetration testing, different vulnerabilities for different ways to use, the need for more knowledge points. In general, this stage includes two ways, one is manual testing, one is the tool test
Manual test
This way for a special filter and other operations, or the network is not forming the use of tools can be used in the skilled, they can write their own use of tools instead of manual operation, after all, manual operation is very tired. Sometimes can be combined with the server configuration problems, increase the success rate.
Tool testing
There is a lot of free use of the network tools, such as SQLmap for SQL injection, for software vulnerabilities Metasploit and so on.