Skip to main content

Web Applications: How to Conduct a Successful Web Application Test

Introduction

This unit presents the steps to use Core Impact to perform Web application test.

Features

  • Create scenario for a Web Application Testing
  • Scan the Web Application
  • Launch an Attack to validate the Top 10 OWASP Security Risks
  • Review exploited pages and check installed agents
  • Install OS agent through a web agent
  • Perform cleanup of deployed Agents
  • Generate report of found vulnerabilities

Highlighted Modules

  • Web Apps Information Gathering RPT
  • Web Apps Attack and penetration
  • Install OS Agent using OS Command Injection Agent
  • Report Generation

Walkthrough

Hosts

  • Web Application target host
    • Hostname: webapps
    • Target web application: http://-WebApps machine IP-/mutillidae/
      • User: samurai
      • Password: samurai

Web Application Information Gathering

  1. From the RPT Pane, select and click Web Applications Information Gathering RPT to crawl the web application. Click Next

Information Gathering

  1. Mark Create a new scenario and set the Scenario Name to Mutillidae. Click Next.

New scenario

  1. Mark Crawl a known web application. Click Next.

Known web app

  1. Mark Automatic web crawling and set the URL to http://-WebApps machine IP-/mutillidae. Click Next.

Set URL

  1. Click Next.

Proxy config

  1. Click Next.

Custom Headers

  1. Click Next.

Crawling options

  1. Check the option Use session management in your website. Click Next.

Use session management

  1. Mark the option Form based. Click Next.

Form Based

  1. Provide the credentials (user: samurai, password: samurai). Click Next.

Site credentials

  1. Click Next.

Session management

  1. Check the option Append '?wsdl' to every found url. Provide the credentials (user: samurai, password: samurai) for SOAP WS-Security. Click Finish.

WSDL credentials

  1. Wait for Client Side RPT to complete gathering information.

Discovery Results

Web Application Attack and Penetration

  1. From the RPT Pane, drag & drop Web Applications Attack and Penetration RPT on the ````Mutillidae``` scenario. Click Next.

Web Apps RPT

  1. Verify that the target is set to Mutillidae. Click Next.

Scenraio Selection

  1. Check A3 - Injection option only. Click Next.

A3

  1. Check A5 - Security Misconfiguration > Look for XML External Entities options only. Click Next.

A4 to A7

  1. Uncheck all options. Click Next.

A8 to end

  1. Click Next.

SQL injection options

  1. Click Next.

XSS options

  1. Click Finish.

Finish wizard

  1. Wait for Web Applications Attack and Penetration RPT to finish. Several agents will be deployed.

Attack launched

Interacting With Deployed Agents

  1. The deployed Agents can be leveraged to gain additional information such as getting the DB schema, Logins or DB version. Simply "drag and drop" the highlighted module onto the logical agent

Local Information Gathering

  1. Deploy an OS Agent using the previously deployed OS Command Injection Agent. Simply "drag and drop" the module Install OS Agent using OS Command Injection Agent over the OS Command Injection Agent.

OS Agent Deployment

  1. Go to the Network tab and validate that an OS Agent has been deployed in the webapps host.

OS Agent Deployed

  1. Control of a compromised host is now possible through the deployed OS Agent. This agent has capabilities to explore the local filesystem, launch programs and create new network connections from the host. In order to explore the compromised host, Core Impact provides shells and file browsing capabilities.
    • Right-click on the OS Agent deployed on the webapps host, and select Shell.
    • You can execute commands to explore the filesystem and launch programs on the host.

Generate Report of the Web Application Test

Finally, we'll generate a Web Vulnerability Report to show the results of the Web Application test.

  1. From the RPT Pane, "drag and drop" the Web Applications Report Generation RPT on Mutillidae scenario.

Report Wizard

  1. Click Next.

  2. Select WebApps Vulnerability Report and click Next.

Report Selection

  1. Select PDF format and click Next.

Format Selection

  1. Click Finish.

Generate Report

  1. The Web Applications Report Generation RPT module will generate the report and open it using the program associated.

Report1 Report2 Report3

Though not shown here, Excel-based reports in Core Impact allow them to be customized after they're generated. Additionally, the user can also customize an existing Excel-based report before it's filled with the workspace's results, so that these customizations can be applied every time the duplicated report is generated. The user can update branding images, introductory texts, show/remove sections, and customize result tables and graphs.