Web app penetration testing in Kali

Exclusive offer: get 50% off this eBook here
Instant Kali Linux [Instant]

Instant Kali Linux [Instant] — Save 50%

A quick guide to learn the most widely-used operating system by network security professionals with this book and ebook

£7.99    £4.00
by Abhinav Singh | October 2013 | Networking & Telephony

In this article by Abhinav Singh, author of the book, Instant kali Linux, we will cover web app penetration testing in Kali.

(For more resources related to this topic, see here.)

Web apps are now a major part of today's World Wide Web. Keeping them safe and secure is the prime focus of webmasters. Building web apps from scratch can be a tedious task, and there can be small bugs in the code that can lead to a security breach. This is where web apps jump in and help you secure your application. Web app penetration testing can be implemented at various fronts such as the frontend interface, database, and web server. Let us leverage the power of some of the important tools of Kali that can be helpful during web app penetration testing.

WebScarab proxy

WebScarab is an HTTP and HTTPS proxy interceptor framework that allows the user to review and modify the requests created by the browser before they are sent to the server. Similarly, the responses received from the server can be modified before they are reflected in the browser. The new version of WebScarab has many more advanced features such as XSS/CSRF detection, Session ID analysis, and Fuzzing. Follow these three steps to get started with WebScarab:

  1. To launch WebScarab, browse to Applications | Kali Linux | Web applications | Web application proxies | WebScarab.
  2. Once the application is loaded, you will have to change your browser's network settings. Set the proxy settings for IP as 127.0.0.1 and Port as 8008:

  3. Save the settings and go back to the WebScarab GUI. Click on the Proxy tab and check Intercept request. Make sure that both GET and POST requests are highlighted on the left-hand side panel. To intercept the response, check Intercept responses to begin reviewing the responses coming from the server.

Attacking the database using sqlninja

sqlninja is a popular tool used to test SQL injection vulnerabilities in Microsoft SQL servers. Databases are an integral part of web apps hence, even a single flaw in it can lead to mass compromising of information. Let us see how sqlninja can be used for database penetration testing.

To launch SQL ninja, browse to Applications | Kali Linux | Web applications | Database Exploitation | sqlninja.

This will launch the terminal window with sqlninja parameters. The important parameter to look for is either the mode parameter or the –m parameter:

The –m parameter specifies the type of operation we want to perform over the target database.Let us pass a basic command and analyze the output:

root@kali:~#sqlninja –m test Sqlninja rel. 0.2.3-r1 Copyright (C) 2006-2008 icesurfer [-] sqlninja.conf does not exist. You want to create it now ? [y/n]

This will prompt you to set up your configuration file (sqlninja.conf). You can pass the respective values and create the config file. Once you are through with it, you are ready to perform database penetration testing.

The Websploit framework

Websploit is an open source framework designed for vulnerability analysis and penetration testing of web applications. It is very much similar to Metasploit and incorporates many of its plugins to add functionalities.

To launch Websploit, browse to Applications | Kali Linux | Web Applications | Web Application Fuzzers | Websploit.

We can begin by updating the framework. Passing the update command at the terminal will begin the updating process as follows:

wsf>update [*]Updating Websploit framework, Please Wait…

Once the update is over, you can check out the available modules by passing the following command:

wsf>show modules

Let us launch a simple directory scanner module against www.target.com as follows:

wsf>use web/dir_scanner wsf:Dir_Scanner>show options wsf:Dir_Scanner>set TARGET www.target.com wsf:Dir_Scanner>run

Once the run command is executed, Websploit will launch the attack module and display the result. Similarly, we can use other modules based on the requirements of our scenarios.

Summary

In this article, we covered the following sections:

  • WebScarab proxy
  • Attacking the database using sqlninja
  • The Websploit framework

Resources for Article:


Further resources on this subject:


Instant Kali Linux [Instant] A quick guide to learn the most widely-used operating system by network security professionals with this book and ebook
Published: October 2013
eBook Price: £7.99
See more
Select your format and quantity:

About the Author :


Abhinav Singh

Abhinav Singh is a young Information Security specialist from India. He has a keen interest in the field of hacking and network security and has adopted it as his full-time profession. He is also the author of Metasploit Penetration Testing Cookbook, Packt Publishing. He is an active contributor to the SecurityXploded community.

Abhinav's works have been quoted in several security and technology magazines and portals.

Books From Packt


 Linux Utilities Cookbook
Linux Utilities Cookbook

Linux Shell Scripting Cookbook, Second Edition
Linux Shell Scripting Cookbook, Second Edition

CentOS 6 Linux Server Cookbook
CentOS 6 Linux Server Cookbook

Linux Email
Linux Email

Linux Mint System Administrator’s Beginner's Guide
Linux Mint System Administrator’s Beginner's Guide

Scalix: Linux Administrator's Guide
Scalix: Linux Administrator's Guide

 Web Penetration Testing with Kali Linux
Web Penetration Testing with Kali Linux

 Linux Thin Client Networks Design and Deployment
Linux Thin Client Networks Design and Deployment


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software