Performing a web penetration test demands not only expertise, but also a significant amount of time. Cybercriminals may have all the time in the world, but for ethical hackers, reducing assessment duration means more time for correcting exposures before they are found by attackers.
With the proper tools, a good penetration tester can automate several tasks, especially during early phases such as reconnaissance and scanning. This is when your focus is on mapping your targets and discovering any exploitable vulnerabilities. Even during the exploitation process, many tools can help craft custom attacks, preserve evidence and construct reports.
While an experienced professional will never depend solely on hacking software for performing an intrusion, it is essential to be well acquainted with the tools of the trade. Here are seven web application penetration testing software tools that, in the right hands, can be put to great use.
Burp Suite is created by: PortSwigger Web Security It is available as a free download with limited, but extremely capable functionality. However, the commercial suite is affordably priced and well worth the investment if you are serious about web penetration testing. API Penetration Test using Burp suit is very popular. In this video, we have seen an example of how to configure Postman to use with Burp to perform API pene.
#72Join us on Telegram today,SoftwaretestingbyMKTFor the latest update on software jobs and to discuss each and everything about Software Testing also get an. Burp Suite Package Description. Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
While systems and network administrators can use it for tasks such as network discovery and inventory, pentesters can similarly employ Nmap for reconnaissance and scanning, getting basic information such as what hosts are available on the network; what services (application name and version) those hosts are offering; what operating systems (and OS versions) they are running; what type of packet filters/firewalls are in use and several of other characteristics.
Nmap also includes a scripting module, so it is not limited to gathering basic information. Aside from network discovery, it can also perform vulnerability and backdoor detection, and even execute exploitations.
Wireshark is essentially the world’s most used network protocol analyzer. It allows for deep inspection of hundreds of protocols and live-traffic capture or offline analysis from a captured file. You can export information in XML, PostScript®, CSV or plain text format. Wireshark is a terrific tool for pentesters gathering and analyzing information.
Metasploit is an amazing tool for penetration testing. In fact, Metasploit is a framework and not a specific application, meaning it is possible to build custom tools for specific tasks. It comes in several versions (both free and paid), available for both Windows and Linux.
Metasploit is quite simple to use and was specifically designed to aid penetration testers. The common steps for exploiting any target are:
- Selecting and configuring the exploit to be targeted
- Selecting and configuring the the payload that will be used
- Selecting and configuring the encoding schema that will be used for trying to evade intrusion detection systems (IPSs)
- Executing the exploit
Nessus is an excellent vulnerability scanner. It provides comprehensive detection, including the ability to identify vulnerabilities, configuration issues and even malware on web applications.
Nessus is fast and accurate, and even though it is not designed for executing exploitations, it can be of terrific value for pentesters during the reconnaissance and scanning phases. It provides detailed target information that can be used by other tools (such as Metasploit) for exploitation.
Burp Suite is an integrated platform used for testing the security of web applications. Its contains several tools that work seamlessly together, supporting the entire testing process.
Burp can perform the initial mapping and analysis of an application’s attack surface, and goes as far as finding and exploiting security vulnerabilities. It contains the following components:
- Intercepting proxy: For inspecting and modifying traffic between your browser and the target application
- Application-aware spider: For crawling content and functionality
- Advanced web application scanner: For automating the detection of numerous types of vulnerabilities
- Intruder tool: For performing powerful customized attacks to find and exploit unusual vulnerabilities
- Repeater tool: For manipulating and resending individual requests
- Sequencer tool: For testing the randomness of session tokens
Burp also allows for the creation of plugins for performing complex and customized tasks. It is easy to use, highly customizable and contains numerous powerful features that can help the most experienced pentesters. In other works, it is an excellent tool for performing web application security assessments.
Nikto is an open source (GPL) web server scanner which performs comprehensive tests for multiple items against web servers.
Nikto can identify over 6,700 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers and scans for version-specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options and will also attempt to identify installed web servers and software.
A word of advice for pentesters: Nikto was not designed with a stealthy approach in mind. It will test a web server in the quickest time possible, and in most situations, it can easily be identified by an IPS/IDS.
Nikto’s primary functions include:
- SSL support
- Full HTTP proxy support
- Checking for outdated server components
- Creating reports in plain text, XML, HTML, NBE or CSV
- Scanning multiple ports on a server, or multiple servers via input file
- Ability to identify installed software via headers, favicons and files
- Host authentication with Basic and NTLM
- Subdomain guessing
- Apache and cgiwrap username enumeration
- Mutation techniques to “fish” for content on web servers
- Scan tuning to include or exclude entire classes of vulnerability checks
- Guessing credentials for authorization realms
- Enhanced false positive reduction via multiple methods
Nikto can also work in combination with Metasploit.
OpenVas (Open Vulnerability Assessment System) is a framework of several services and tools. The core of this SSL-secured, service-oriented architecture is the OpenVAS Scanner, a tool that can be used for executing network vulnerability tests (NVTs), which can be served either via the OpenVAS NVT Feed or by a commercial feed service.
It is a great solution that performs really well and can be used with ease during the scanning phase of a pentest. With a comprehensive list of plugins and very efficient features, it is capable of deeply scanning applications to collect data and responses from the server. This data can then be used by other tools (such as Metasploit) for exploiting web applications.
Read more about about Penetration Testing:
Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. Burp is highly functional and provides an intuitive and user-friendly interface. Its proxy function allows configuration of very fine-grained interception rules, and clear analysis of HTTP messages structure and contents. The proxy can also be configured to perform automated matching and replacement of message headers, and provides an in-browser interface for viewing the proxy cache and reissuing individual requests.
Below we’ve listed out the top 19 plugins which are open source and can be integrated under Burp as an extenders which are as follows:
AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are structured in a similar format to that of an access control matrix common in various threat modeling methodologies.
- Github Link – https://github.com/SecurityInnovation/AuthMatrix
AuthMatrix requires configuring Burp Suite to use Jython. Be sure to use Jython version 2.7.0 or greater to ensure compatibility.
Burp Tool For Penetration Testing In Healthcare
Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
- Github Link –https://github.com/Quitten/Autorize
This extension complements Burp’s active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
- Github Link –https://github.com/PortSwigger/backslash-powered-scanner
A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
- Github Link – https://github.com/vmware/burp-rest-api
A Burp Suite content discovery plugin that add the smart into the Buster through which you can easily find all the hidden resources in a web application! Basically this plugin checks for directories/files, in current URL directories, replace and add extension to current files etc.
- Github Link –https://github.com/pathetiq/BurpSmartBuster
BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp’s extender API.
- Github Link –https://github.com/allfro/BurpKit
Burp Tool For Penetration Testing In Computer
A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator.
- Github Link – https://github.com/PortSwigger/collaborator-everywhere
Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it’s own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
- Github Link –https://github.com/JGillam/burp-co2
CO2 is comprised of both a suite of modules as well as standalone versions of some of these modules, either due to popular request or while still in early development prior to being added to the suite. The objectives of all CO2 modules include:
Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
- Github Link –https://github.com/PortSwigger/distribute-damage
HUNT is a Burp Suite extension which identifies common parameters vulnerable to certain vulnerability classes and also organize the testing methodologies inside of Burp Suite.
- Github Link –https://github.com/bugcrowd/HUNT
A collection of Burpsuite Intruder payloads and fuzz lists and pentesting methodology. To pull down all 3rd party repos, you need to run install.sh in the same directory of the IntruderPayloads folder.
- Github Link –https://github.com/1N3/IntruderPayloads/blob/master/README.md
12. Office Open XML Editor
Office Open XML Editor is a burp extension written in Python 2.7 that will allow you to edit Office Open XML(OOXML) file directly in Burp Suite. It will detect request with Office Open XML(docx,xlsx,pptx) and provide you tab to edit XML content which is present inside the document which will futher used to test the XXE attacks.
- Github Link –https://github.com/maxence-schmitt/OfficeOpenXMLEditor
Burp Extender plugin that generates a sitemap of a website using Wayback Machine. PwnBack also requires PhantomJS to run. You can download it from here.
- Github Link –https://github.com/P3GLEG/PwnBack
14. SAML Raider
SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
- Github Link –https://github.com/SAMLRaider/SAMLRaider
Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
- Github Link –https://github.com/AresS31/swurg
Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
- Github Link – https://github.com/yandex/burp-molly-pack
17. NoPE Proxy
This extension is for those times when Burp just says ‘Nope, i’m not gonna deal with this.’. It’s actually an acronym for Non-HTTP Protocol Extension Proxy for Burp Suite.
- Github Link –https://github.com/summitt/Burp-Non-HTTP-Extension
Nope Proxy also has a port monitor that will only display tcp ports that a remote client is attempting to connect on. This combined with the DNS history can help you find which hosts and ports a mobile app or thin client is attempting to contact so that you can create interceptors for this traffic and proxy it to the real servers.
AutoRepeater, an open source Burp Suite extension that automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
- Github Link –https://github.com/nccgroup/AutoRepeater
AutoRepeater will only resend requests which are changed by a defined replacement. When AutoRepeater receives a request that matches the conditions set for a given tab, AutoRepeater will first apply every defined base replacement to the request, then will copy the request with the base replacements performed for each defined replacement and apply the given replacement to the request.
19. Uniqueness plugin for Burp Suite
Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
- Github Link –https://github.com/silentsignal/burp-uniqueness