Home Security Penetration Testing Web app penetration testing in Kali

Web app penetration testing in Kali

October 30, 2013 - 12:00 am

5581

3 min read

(For more resources related to this topic, see here.)

Web apps are now a major part of today’s World Wide Web. Keeping them safe and secure is the prime focus of webmasters. Building web apps from scratch can be a tedious task, and there can be small bugs in the code that can lead to a security breach. This is where web apps jump in and help you secure your application. Web app penetration testing can be implemented at various fronts such as the frontend interface, database, and web server. Let us leverage the power of some of the important tools of Kali that can be helpful during web app penetration testing.

WebScarab proxy

WebScarab is an HTTP and HTTPS proxy interceptor framework that allows the user to review and modify the requests created by the browser before they are sent to the server. Similarly, the responses received from the server can be modified before they are reflected in the browser. The new version of WebScarab has many more advanced features such as XSS/CSRF detection, Session ID analysis, and Fuzzing. Follow these three steps to get started with WebScarab:

To launch WebScarab, browse to Applications | Kali Linux | Web applications | Web application proxies | WebScarab.
Once the application is loaded, you will have to change your browser’s network settings. Set the proxy settings for IP as 127.0.0.1 and Port as 8008:
Save the settings and go back to the WebScarab GUI. Click on the Proxy tab and check Intercept request. Make sure that both GET and POST requests are highlighted on the left-hand side panel. To intercept the response, check Intercept responses to begin reviewing the responses coming from the server.

Attacking the database using sqlninja

sqlninja is a popular tool used to test SQL injection vulnerabilities in Microsoft SQL servers. Databases are an integral part of web apps hence, even a single flaw in it can lead to mass compromising of information. Let us see how sqlninja can be used for database penetration testing.

To launch SQL ninja, browse to Applications | Kali Linux | Web applications | Database Exploitation | sqlninja.

This will launch the terminal window with sqlninja parameters. The important parameter to look for is either the mode parameter or the –m parameter:

Instant kali Linux

The –m parameter specifies the type of operation we want to perform over the target database.Let us pass a basic command and analyze the output:

root@kali:~#sqlninja –m test
Sqlninja rel. 0.2.3-r1
Copyright (C) 2006-2008 icesurfer
[-] sqlninja.conf does not exist. You want to create it now ? [y/n]

This will prompt you to set up your configuration file (sqlninja.conf). You can pass the respective values and create the config file. Once you are through with it, you are ready to perform database penetration testing.

The Websploit framework

Websploit is an open source framework designed for vulnerability analysis and penetration testing of web applications. It is very much similar to Metasploit and incorporates many of its plugins to add functionalities.

To launch Websploit, browse to Applications | Kali Linux | Web Applications | Web Application Fuzzers | Websploit.

Instant kali Linux

We can begin by updating the framework. Passing the update command at the terminal will begin the updating process as follows:

wsf>update
[*]Updating Websploit framework, Please Wait…

Once the update is over, you can check out the available modules by passing the following command:

wsf>show modules

Let us launch a simple directory scanner module against www.target.com as follows:

wsf>use web/dir_scanner
wsf:Dir_Scanner>show options
wsf:Dir_Scanner>set TARGET www.target.com
wsf:Dir_Scanner>run

Instant kali Linux

Once the run command is executed, Websploit will launch the attack module and display the result. Similarly, we can use other modules based on the requirements of our scenarios.

Summary

In this article, we covered the following sections:

WebScarab proxy
Attacking the database using sqlninja
The Websploit framework

Resources for Article:

Further resources on this subject:

Installing VirtualBox on Linux [Article]
Linux Shell Script: Tips and Tricks [Article]
Installing Arch Linux using the official ISO [Article]

Top 6 Cybersecurity Books from Packt to Accelerate Your Career

Your Quick Introduction to Extended Events in Analysis Services from Blog…

Logging the history of my past SQL Saturday presentations from Blog…

Storage savings with Table Compression from Blog Posts – SQLServerCentral

Daily Coping 31 Dec 2020 from Blog Posts – SQLServerCentral

Learning Essential Linux Commands for Navigating the Shell Effectively

Exploring the Strategy Behavioral Design Pattern in Node.js

How to integrate a Medium editor in Angular 8

Implementing memory management with Golang’s garbage collector

How to create sales analysis app in Qlik Sense using DAR…

Web app penetration testing in Kali

WebScarab proxy

Attacking the database using sqlninja

The Websploit framework

Summary

Resources for Article:

LEAVE A REPLY Cancel reply

Must Read in Security

Top 6 Cybersecurity Books from Packt to Accelerate Your Career

Win-KeX Version 2.0 from Kali Linux

Kali Linux 2020.3 Release (ZSH, Win-Kex, HiDPI & Bluetooth Arsenal) from...

Interviews

Learn Transformers for Natural Language Processing with Denis Rothman

Clean Coding in Python with Mariano Anaya

Bringing AI to the B2B world: Catching up with Sidetrade CTO Mark Sheldon [Interview]

On Adobe InDesign 2020, graphic designing industry direction and more: Iman Ahmed, an Adobe Certified Partner and Instructor [Interview]

Is DevOps experiencing an identity crisis? [Interview]

MobilePro

datapro

Programming

Subscribe to our newsletter