"Practice Guide for Penetration Testing: tools and methods to be known"-reading notes (iv) Web-based exploit

Nikto

Automatically scans for outdated, unpatched software on the Web server and automatically retrieves dangerous files residing on the server. can identify a number of specific problems, but also can check out the server configuration problems.

/pentest/web/nikto

#./nikto.pl–h target_host–p Target_port–o Output_file_path

#./nikto.pl Update

Websecurify

Quickly and easily identify web vulnerabilities, including SQL injection, cross-site scripting, text inclusion, cross-site request forgery, and more.

/pentest/web/websecurify/runner

WebScarab

The preferred tool for interacting with the target Web server.

After the vulnerability scan has been completed with Nikto and Websecurify, the next logical step is to run the web crawler on the target site. A web crawler is a very useful tool for checking and reading (or crawling) the target site to find all links and related files. With web crawlers, every link, webpage and known file of the target site is recorded and sorted. These categorical data are useful for accessing restricted Web pages and locating files or information that are inadvertently exposed.

/pentest/web/webscarab

# Java–jar WebScarab

Use:

1. Open the webscarab,tools–> use full-featured interface and restart

2. Set the browser to proxy mode, 127.0.0.1:8008

Code injection attacks

The difference between explanatory and compiled languages is that explanatory languages produce machine code only before they are executed, whereas a compiled language requires the programmer to compile the source code and generate the executable file. Most of the current Web applications use interpretive programming languages and schema patterns for the backend databases that store information. In modern Web applications such as e-commerce, the job of explanatory language is to build a series of executable statements in conjunction with the programmer's initial work and user input .

SQL injection attacks:

SELECT * from users WHERE uname = ' or 1 = 1–and pwd = ' BT '

"*" wildcard, which informs SQL to return all columns of a matching record in a table

A pair of single quotes to the right of the equals sign is automatically added, indicating that the query object is a string

' OR 1 = 1-' Closes the left single quotation mark, keeping the query statement balanced. or 1 = 1 to make this query statement always true, all columns are returned. --The code after the comment.

Xss

Cross-site scripting is a process that injects a script into a Web application.

The injected script is saved in the original Web page, and all browsers accessing the Web page will run or process the script. Cross-site scripting attacks occur when the injection script actually becomes part of the original code.

Non-persistent cross-site scripting attack: A client sends a malicious script to a vulnerable server and the server reflects or bounces a script to the user. In this case, the payload (or script) is immediately executed. This attack process occurs in a single response/request. does not have persistence. To implement an attack, a malicious URL can only be sent to the user via e-mail, instant message, and so on, so the attack is performed on the attacker's browser.

Persistent cross-site scripting attacks: Malicious scripts are saved directly to the vulnerable server. Since the script is saved on the server, any user accessing the Web app will trigger the execution of the script.

WebGoat: Drill Platform

"Practice Guide for Penetration Testing: tools and methods to be known"-reading notes (iv) Web-based exploit