Web Vulnerability Assessment
Introduction
In this blog post, we will learn Web VA to exploit target, using discovered vulnerabilities. We will discuss the usage of some software to perform web assessment.
Nikto
Nikto examine a web server to find potential problems and security vulnerabilities, including:
-
Server and software misconfigurations
-
Default files and programs
-
Insecure files and programs
-
Outdated servers and programs
# nikto -help
Run scan against the target website
# nikto -h www.victim.com -ssl
This will give you scan result very fast
To scan multiple targets
create a txt file and edit your target host in it, save it as victims.txt
To scan them all
nikto -h victim.txt > scanned.txt
We have redirected its result in a scanned.txt file.
Skipfish
skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from several active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Skipfish can detect XSS, SQL Injection, Shell injection, etc, on the target web application.
man skipfish
To run the scanner
# skipfish -h
# skipfish -d -o 202 https://target.com
It will scan every request, external/Internal links, and statistics, and give you documented output in your specified directory.
You can also customize your HTTP request to scan the target in depth.
Wapiti
Wapiti allows you to audit the security of your web applications.
It performs “black-box” scans, i.e. it does not study the source code of the application but will scan the webpages of the deployed web app, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
Wapiti can detect, file disclosure, database Injection, XSS injection, Command Execution detection, CRLF Injection, XXE injection, Use of know potentially dangerous files, Weak .htaccess configurations that can be bypassed, Presence of backup files giving sensitive information (source code disclosure), etc.
You can also customize your scan.
It comes preconfigured in parrot, lets use it.
# wapiti -h
It will show you all commands and usage of wapiti tool.
Its very simple to use let’s run a default wapiti scan
# wapiti http://targetvictim.com
WMAP
WMAP is a feature-rich vulnerability scanner used to perform Web Application VA on target sites. This tool is integrated with Metasploit and allows us to conduct web application scanning from within the Metasploit Framework.
Load it in msfconsole
msfconsole
msf5 > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
WMAP is loaded in msfconsole.
msf5 > wmap_sites -h
[*] Usage: wmap_targets [options]
-h Display this help text
-a [url] Add site (vhost,url)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level)
Let’s add the target site in wmap scan.
msf5 > wmap_sites -a http://targetsite.com
To list sites
msf5 > wmap_sites -l
Add the site as a target with wmap_targets.
msf5 > wmap_targets -h
[*] Usage: wmap_targets [options]
-h Display this help text
-t [urls] Define target sites (vhost1,url[space]vhost2,url)
-d [ids] Define target sites (id1, id2, id3 ...)
-c Clean target sites list
-l List all target sites
msf5 > wmap_targets -t http:target.com/index.php
Now list targets.
wmap_targets -l
Using the wmap_run command will scan the target system.
msf5 > wmap_run -h
[*] Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
(No profile file runs all enabled modules.)
To show all modules
msf5 > wmap_run -t
[*] Testing target:
[*] Site: 192.168.1.100 (192.168.1.100)
[*] Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*]
=[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
[*] ============================================================
[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...
...snip...
To run the scan against our target.
msf5 > wmap_run -e
To see wmap findings
msf5 > wmap_vulns -l
To list all the details of found vulnerabilities
msf5 > vulns
Conclusion
We have discussed some tools and techniques which are free and open-source, there are many other vulnerability tools also like Burpsuite pro, Acunetix, Qualys, and more.