Palisade Magazine

A Plynt Publication

March 2007

Application Penetration Tester's Toolkit

by Balaji V | Discuss this article »»

In this article series, we will be looking at some of the tools used for application penetration testing. The most common categories of tools include web proxy editors, fuzzers, network proxies, memory viewers, decompilers, browser extensions and automated vulnerability scanners.

Web Proxy Editors

The first set of the tools, web proxy editors, intercept web traffic (both http and https) between the web server and web browser and provide scope for manipulation of requests and responses as that of an MITM attack. Some of the popular web proxy editors include WebScarab by Rogan Dawes, Paros Proxy from Chinotec Technologies and Burp Suite from PortSwigger.

WebScarab

Let’s delve into WebScarab, the official OWASP tool for web application testing. WebScarab, written in Java, can run on many platforms and its multiple plugins enables it to operate in several modes.

First we will see the proxy plugin in action. The tester modifies the proxy settings in the browser to 127.0.0.1 IP and 8008 port for all protocols and starts WebScarab. Then sets the proxy plugin to “Intercept” mode in the ‘Manual Edit’ tab. Now the tool is ready for capturing all the requests and responses sent between the web browser and web server. By default, a regular expression is used in the ‘Exclude paths matching’ field to avoid capturing requests sent for image files and javascripts - this ensures that only interesting requests are intercepted.

Fig 1. Webscarab Interface

Some of the critical attacks carried out with a web proxy include parameter manipulation, bypassing client side validation, injecting malicious input not possible on the web page and manipulating responses. If you use tabs while browsing, you may want to browse other websites while testing a particular website, but wouldn’t want WebScarab to be intercepting the requests and responses for other websites. You can achieve that by using a regular expression in the ‘Include paths matching’ field. For example, if you are testing http://plynt.com/ , you can use the regular expression .*.(plynt.com.*)$. Well if you need to log the session, tabbed browsing may not be preferable as those requests and responses will also get logged.

In addition to the web proxy, the following plugins come in handy during a web application penetration testing:

Fragments that extracts Scripts and HTML comments from web pages
Beanshell that allows performing complex operations on requests and responses
Spider that lets you recursively crawl through the website
SessionID analysis that analyses session cookies for predictability
Parameter fuzzer that automates parameter substitution to expose incomplete parameter validation
SOAP that parses WSDL and enables editing of functions and parameters

OWASP has recently started work on the Next Generation WebScarab.

Fuzzers

Fuzzing is a technique used to identify security weaknesses in applications by attaching random or unexpected data to the inputs. If the application fails or crashes, it indicates the existence of flaws in the application. Fuzzers exploit the issue of inadequate input validation, which is the root cause of several well known attacks - from the age-old buffer overflows to the recently popularized cross-site scripting attacks. The vulnerabilities discovered through fuzzing are usually critical as they are directly exploitable by attackers. Fuzzing has become popular in recent years. While fuzzers discover flaws such as buffer overflows, DoS, SQL Injection, Cross-Site Scripting and Format String vulnerabilities, they fail to identify flaws such as information disclosure, weak encryption and others that may not lead to abnormal behavior of the application.

Some of the well known Fuzzers used in web application penetration testing include WebFuzzer, jbrofuzz, MielieTool, Wapiti, SPI Fuzzer. While SPI Fuzzer is commercial tool that is part of the SPI WebInspect toolkit, other fuzzers are freely available. In this article, we will discuss about Wapiti.

Wapiti

Wapiti is not just a fuzzer but a web application scanner as well. It crawls through web pages and identifies scripts and forms for injecting data. Then these identified scripts and forms are injected with random and unexpected data by the fuzzer and the application’s responses are analyzed to discover any vulnerability. Wapiti detects vulnerabilities such as File Handling Errors, Database Injection flaws, XSS flaws, LDAP Injection flaws, Command Execution detection and CRLF Injection flaws.

Wapiti is developed in Python and uses an lswww Python library that works as the web spider. The use of HTML Tidy library helps the web spider library (lswww) to parse the bad coded web pages in a better manner leading to identification of more inputs to inject. The author also suggests using ctypes and uTidylib modules for more efficiency.

In the next article, we will discuss network proxies, memory viewers and decompilers.

Additional Reference

Discussion is open for this article — there are no reader comments yet. Add yours.

Search this website

Plynt Penetration Testing

500+ apps have been entrusted to Plynt for security. Get a quote for your application/network today

Write to Us

All flowers, brickbats and suggestions are welcome. You can put in yours on the feedback page.