Web Application Testing for beginnersI was asked to give a presentation on Web Application Testing, so as well as supporting information as to why and what a test involves, I highlighted why OWASP was important, and showed how easy a simple a SQL injection attack is to carry out.
Who or what are OWASP? Wikipedia gives the definition as: “The Open Web Application Security Project is an online community dedicated to web application security. The OWASP community includes corporations, education organizations and individuals from around the word”
OWASP gives information on security coding of web applications and following their guidelines will help ensure the development of secure web applications and that the security standards are upheld as part of this process.
A common penetration testing tool is KALI Linux, which is available here as software or here as a virtual machine. It’s a suite of testing tools that run on Linux, and includes tools to test web applications.
One of toolsets found in KALI Linux is to a tool called OWASP ZAP, which will test websites for vulnerabilities. It’s a vulnerability assessment (VA) tool for web applications.
You enter in the website you want to test against. I have to say ensure you have the permission of the owner of the website, although there are many websites that can be tested against.
One of the vulnerabilities that OWASP ZAP can test for are SQL injections. Wikipedia defines SQL Injections as: "SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)"
Once you have a site that is vulnerable to an SQL injection, you can use the SQLMAP tool on KALI via a Terminal session.
To use SQLMAP to check a website for a database, use the following line of code:
sqlmap -u <vulnerable site url> --dbs
This command will show if there are any databases available on the site
Once you have the database information, the next task will be see what tables are available on that database, and that can be done using the following code:
sqlmap -u <vulnerable site> -D <database name> --tables
Once you have the tables, you’ll probably want to have a closer look at any interesting ones.
Once you find an interesting table, it would be useful to see what is available in the columns, which can be done using the following code:
sqlmap -u <vulnerable site> -D <database name> -T <table> --columns
Now you have the column information, it would be useful to dump the data, using the following code:
sqlmap -u <vulnerable site> -D <database name> -T <table> --dump
Once the data has been dumped, you’ll be asked if you want to use external tools to analyse the data, performing an attack using a default dictionary attack and whether you want to ignore common suffixes.
Copy and paste the data into Leafpad to view the data, where you’ll see passwords as hashes, and where they are common passwords in the default dictionary, then they will be displayed as clear text.
As you can see, with very little experience, it’s incredibly easy to check for vulnerabilities and use simple commands to perform some very powerful tests against the sites. The recommendation is to have any web application development team to follow the OWASP Top 10 and ensure regular testing against your web applications. If you are commissioning an external organisation, ensure they are offering an SLA to delivering a secure application, so they have to pull the stops out to ensure security is built in, rather than it being of additional expense to you and your organisation for not building this into the contract.