Application Penetration Tester's Toolkit

Paladion
By Paladion

March 30, 2007

Application Penetration Tester's Toolkit

In this article series, we will be looking at some of the tools used for application penetration testing. The most common categories of tools include web proxy editors, fuzzers, network proxies, memory viewers, decompilers, browser extensions and automated vulnerability scanners.

In this article series, we will be looking at some of the
tools used for application penetration testing. The most common
categories of tools include web proxy editors, fuzzers, network
proxies, memory viewers, decompilers, browser extensions and automated
vulnerability scanners.

Web Proxy Editors

The first set of the tools, web proxy editors, intercept web
traffic (both http and https) between the web server and web browser
and provide scope for manipulation of requests and responses as that of
an MITM
attack. Some of the popular web proxy editors include WebScarab by
Rogan Dawes, Paros Proxy from Chinotec Technologies and Burp Suite from
PortSwigger.

WebScarab

Let’s delve into <a
href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab,
the official OWASP tool for web application testing. WebScarab, written
in Java, can run on many platforms and its multiple plugins enables it
to operate in several modes.</a

First we will see the proxy plugin in action. The tester
modifies the proxy settings in the browser to 127.0.0.1 IP and 8008
port for all protocols and starts WebScarab. Then sets the proxy plugin
to “Intercept” mode in the ‘Manual
Edit’ tab. Now the tool is ready for capturing all the
requests and responses sent between the web browser and web server. By
default, a regular expression is used in the ‘Exclude paths
matching’ field to avoid capturing requests sent for image
files and javascripts - this ensures that only interesting requests are
intercepted.

Webscarab src="http://palisade.plynt.com/images/webscarab.png">

Fig 1. Webscarab Interface

Some of the critical attacks carried out with a web proxy
include parameter manipulation, bypassing client side validation,
injecting malicious input not possible on the web page and manipulating
responses. If you use tabs while browsing, you may want to browse other
websites while testing a particular website, but wouldn’t
want WebScarab to be intercepting the requests and responses for other
websites. You can achieve that by using a regular expression in the
‘Include paths matching’ field. For example, if you
are testing http://plynt.com/ , you can use the regular
expression .*.(plynt.com.*)$. Well if you need to log the session,
tabbed browsing may not be preferable as those requests and responses
will also get logged.

In addition to the web proxy, the following plugins come in
handy during a web application penetration testing:

  • Fragments that extracts Scripts and HTML comments from web
    pages
  • Beanshell that allows performing complex operations on
    requests and responses
  • Spider that lets you recursively crawl through the website
  • SessionID analysis that analyses session cookies for
    predictability
  • Parameter fuzzer that automates parameter substitution to
    expose incomplete parameter validation
  • SOAP that parses WSDL and enables editing of functions and
    parameters

OWASP has recently started work on the <a
href="http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project">Next
Generation WebScarab.</a

Fuzzers

Fuzzing is a technique used to identify security weaknesses in
applications by attaching random or unexpected data to the inputs. If
the application fails or crashes, it indicates the existence of flaws
in the application. Fuzzers exploit the issue of inadequate input
validation, which is the root cause of  several well known
attacks - from the age-old buffer overflows to the recently popularized
cross-site scripting attacks. The vulnerabilities discovered through
fuzzing are usually critical as they are directly exploitable by
attackers. Fuzzing has become popular in recent years.  While
fuzzers discover flaws such as buffer overflows, DoS, SQL Injection,
Cross-Site Scripting and Format String vulnerabilities, they fail to
identify flaws such as information disclosure, weak encryption and
others that may not lead to abnormal behavior of the application.

Some of the well known Fuzzers used in web application
penetration testing include WebFuzzer, jbrofuzz, MielieTool, Wapiti,
SPI Fuzzer. While SPI Fuzzer is commercial tool that is part of the SPI
WebInspect toolkit, other fuzzers are freely available. In this
article, we will discuss about Wapiti.

Wapiti

Wapiti
is not just a fuzzer but a web application scanner as well. It crawls
through web pages and identifies scripts and forms for injecting data.
Then these identified scripts and forms are injected with random and
unexpected data by the fuzzer and the application’s responses
are analyzed to discover any vulnerability. Wapiti detects
vulnerabilities such as File Handling Errors, Database Injection flaws,
XSS flaws, LDAP Injection flaws, Command Execution detection and CRLF
Injection flaws.

Wapiti is developed in Python and uses an lswww Python library
that works as the web spider. The use of HTML Tidy library helps the
web spider library (lswww) to parse the bad coded web pages in a better
manner leading to identification of more inputs to inject. The author
also suggests using ctypes and uTidylib modules for more efficiency.

In the next article, we will discuss network proxies, memory
viewers and decompilers.

Additional Reference


Tags: Technical

About

Paladion