Vulnerability Assessment 8.2

Web Vulnerability Assessment

Introduction

In this blog post, we will learn Web VA to exploit target, using discovered vulnerabilities. We will discuss the usage of some software to perform web assessment.

Nikto

Nikto examine a web server to find potential problems and security vulnerabilities, including:

• Server and software misconfigurations

• Default files and programs

• Insecure files and programs

• Outdated servers and programs

# nikto -help

Run scan against the target website

# nikto -h www.victim.com -ssl

This will give you scan result very fast

To scan multiple targets

create a txt file and edit your target host in it, save it as victims.txt

To scan them all

nikto -h victim.txt > scanned.txt

We have redirected its result in a scanned.txt file.

Skipfish

skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from several active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Skipfish can detect XSS, SQL Injection, Shell injection, etc, on the target web application.

man skipfish

To run the scanner

# skipfish -h

# skipfish -d -o 202 https://target.com

It will scan every request, external/Internal links, and statistics, and give you documented output in your specified directory.

You can also customize your HTTP request to scan the target in depth.

Wapiti

Wapiti allows you to audit the security of your web applications.

It performs “black-box” scans, i.e. it does not study the source code of the application but will scan the webpages of the deployed web app, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect, file disclosure, database Injection, XSS injection, Command Execution detection, CRLF Injection, XXE injection, Use of know potentially dangerous files, Weak .htaccess configurations that can be bypassed, Presence of backup files giving sensitive information (source code disclosure), etc.

You can also customize your scan.

It comes preconfigured in parrot, lets use it.

# wapiti -h

It will show you all commands and usage of wapiti tool.

Its very simple to use let’s run a default wapiti scan

# wapiti http://targetvictim.com

WMAP

WMAP is a feature-rich vulnerability scanner used to perform Web Application VA on target sites. This tool is integrated with Metasploit and allows us to conduct web application scanning from within the Metasploit Framework.

Load it in msfconsole

msfconsole

msf5 > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

WMAP is loaded in msfconsole.

msf5 > wmap_sites -h
[*]  Usage: wmap_targets [options]
    -h        Display this help text
    -a [url]  Add site (vhost,url)
    -l        List all available sites
    -s [id]   Display site structure (vhost,url|ids) (level)

Let’s add the target site in wmap scan.

msf5 > wmap_sites -a http://targetsite.com

To list sites

msf5 > wmap_sites -l

Add the site as a target with wmap_targets.

msf5 > wmap_targets -h
[*] Usage: wmap_targets [options]
    -h         Display this help text
    -t [urls]    Define target sites (vhost1,url[space]vhost2,url) 
    -d [ids]    Define target sites (id1, id2, id3 ...)
    -c         Clean target sites list
    -l          List all target sites


msf5 > wmap_targets -t http:target.com/index.php

Now list targets.

wmap_targets -l

Using the wmap_run command will scan the target system.

msf5 > wmap_run -h
[*] Usage: wmap_run [options]
    -h                        Display this help text
    -t                        Show all enabled modules
    -m [regex]                Launch only modules that name match provided regex.
    -p [regex]                Only test path defined by regex.
    -e [/path/to/profile]     Launch profile modules against all matched targets.
                              (No profile file runs all enabled modules.)

To show all modules

msf5 > wmap_run -t

[*] Testing target:
[*]     Site: 192.168.1.100 (192.168.1.100)
[*]     Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*] 
=[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
[*] ============================================================
[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...
...snip...

To run the scan against our target.

msf5 > wmap_run -e

To see wmap findings

msf5 > wmap_vulns -l

To list all the details of found vulnerabilities

msf5 > vulns

Conclusion

We have discussed some tools and techniques which are free and open-source, there are many other vulnerability tools also like Burpsuite pro, Acunetix, Qualys, and more.