Join Malcolm Shore for an in-depth discussion in this video Approaching web testing, part of Penetration Testing Essential Training.
- [Instructor] Most applications are now delivered as web applications, or as mobile apps supported by a web based service. Consequently, web testing is a key skill for a pen tester. The cost of not testing web apps can be readily seen in the many examples of data breaches resulting from an insecure website. TalkTalk is one of many, and it made headlines. The culprit was a 17-year-old boy who used hacking tools and looted email addresses, names and phone numbers, as well as 21000 unique bank account numbers and sort codes.
TalkTalk subsequently tested their websites, but this would have been much more effective before the hack. There are two main approaches to testing websites. The first is to crawl each page in the website, looking for vulnerabilities. This can provide a good map of where to look for weaknesses. The second approach, and sometimes the second stage after crawling, is to intercept the website traffic by using a proxy service between the web client and the server. In addition, manually checking web pages for comments can be useful, as these have been known to include credentials and commented notes about bugs that require fixing.
Identifying client-side code is also useful, as this can indicate ways in which the client can subvert security. Another important check is the technologies used for the webserver, and the protocols used for traffic. These can be used to identify known vulnerabilites that may not have been patched and cryptographic weaknesses that can be attacked. Websites should use Secure Transport Services to ensure that there's no risk of man-in-the-middle. But many still use HTTPS and even HTTP.
In addition, WebSockets is a new technology which has been deployed to provide simpler communication for web apps. Understanding the strengths and weaknesses of the web architecture is useful. Another area to look at is user authentication, especially where the website includes ecommerce functionality. The rules around credit card payments are very strict, and most sites have moved to payment gateways. However, the interface between the ecommerce webpage and the gateway is a key area to review.
Another area is the validation of credentials, and in particular, the risk of injection attacks where a backend authentication server is used. If the webpage builds a query string to extract user data, it's a key focus for attackers to exploit. Password reset pages are also an area of focus, as the interactions are often less well-tested than the main access code. Of course, websites which have default credentials left in the system or have hard-coded credentials stored are prime targets for attack.
Session management is another area of weakness, and it's useful to test whether an attacker can hijack a session or access a session with an intercepted session cookie. Session tokens may also be predictable, which enables an attacker to prepare for an attack when the predicted cookie becomes active. There's a lot of ways to attack a web application and a lot to look at when doing web testing. We'll introduce a few tools and techniques that you should be familiar with before you start to look at deeper testing.
Cybersecurity expert Malcolm Shore reviews popular pen testing tools, as well as the Bash and Python scripting skills required to be able to acquire, modify, and re-use exploit code. He also provides a refresher on Kali Linux and introduces techniques for testing web services. At the end of this course, you'll be prepared to take more advanced training, and to pursue the popular Offensive Security Certified Professional (OSCP) certification.
- Pen testing overview
- Pen testing tools
- Bash scripting
- Python scripting
- Kali and Metasploit
- Web testing
- Finding exploit code