Web Application Testing for beginners
I was asked to give a presentation on Web Application Testing, so as well as supporting information as to why and what a test involves, I highlighted why OWASP was important, and showed how easy a simple a SQL injection attack is to carry out.OWASP
Who or what are OWASP? Wikipedia gives the definition as: “The Open Web Application Security Project is an online
community dedicated to web application security. The OWASP community includes corporations,
education organizations and individuals from around the word”
OWASP gives information on security coding of web
applications and following their guidelines will help ensure the development of
secure web applications and that the security standards are upheld as part of
this process.
KALI Linux
A common penetration testing tool is KALI Linux, which is
available here as software or here as a virtual machine. It’s a suite of testing tools that run on
Linux, and includes tools to test web applications.
OWASP ZAP
One of toolsets found in KALI Linux is to a tool
called OWASP ZAP, which will test websites for vulnerabilities. It’s a vulnerability assessment (VA) tool for
web applications.
You enter in the website you want to test against. I have to say ensure you have the permission
of the owner of the website, although there are many websites that can be
tested against.
SQLMAP
One of the vulnerabilities that OWASP ZAP can test for are
SQL injections. Wikipedia defines SQL Injections as: "SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)"
Find Database
Once you have a site that is vulnerable to an SQL injection,
you can use the SQLMAP tool on KALI via a Terminal session.
To use SQLMAP to check a website for a database, use the
following line of code:
sqlmap -u <vulnerable site url> --dbs
This command will show if there are any databases available
on the site
Find Tables
Once you have the database information, the next task will
be see what tables are available on that database, and that can be done using
the following code:
sqlmap -u <vulnerable site> -D <database name>
--tables
Once you have the tables, you’ll probably want to have a
closer look at any interesting ones.
Find Columns
Once you find an interesting table, it would be useful to
see what is available in the columns, which can be done using the following
code:
sqlmap -u <vulnerable site> -D <database name>
-T <table> --columns
Dump Data
Now you have the column information, it would be useful to
dump the data, using the following code:
sqlmap -u <vulnerable site> -D <database
name> -T <table> --dump
Once the data has been dumped, you’ll be asked if you want
to use external tools to analyse the data, performing an attack using a default
dictionary attack and whether you want to ignore common suffixes.
Review Data
Copy and paste the data into Leafpad to view the data, where
you’ll see passwords as hashes, and where they are common passwords in the
default dictionary, then they will be displayed as clear text.
Conclusion
As you can see, with very little experience, it’s incredibly
easy to check for vulnerabilities and use simple commands to perform some very
powerful tests against the sites. The
recommendation is to have any web application development team to follow the OWASP Top 10 and ensure regular testing against your web applications. If you are commissioning an external organisation,
ensure they are offering an SLA to delivering a secure application, so they
have to pull the stops out to ensure security is built in, rather than it being
of additional expense to you and your organisation for not building this into
the contract.
