Performing a web penetration test demands not only expertise, but also a significant amount of time. Cybercriminals may have all the time in the world, but for ethical hackers, reducing assessment duration means more time for correcting exposures before they are found by attackers.
With the proper tools, a good penetration tester can automate several tasks, especially during early phases such as reconnaissance and scanning. This is when your focus is on mapping your targets and discovering any exploitable vulnerabilities. Even during the exploitation process, many tools can help craft custom attacks, preserve evidence and construct reports.
While an experienced professional will never depend solely on hacking software for performing an intrusion, it is essential to be well acquainted with the tools of the trade. Here are seven web application penetration testing software tools that, in the right hands, can be put to great use.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
While systems and network administrators can use it for tasks such as network discovery and inventory, pentesters can similarly employ Nmap for reconnaissance and scanning, getting basic information such as what hosts are available on the network; what services (application name and version) those hosts are offering; what operating systems (and OS versions) they are running; what type of packet filters/firewalls are in use and several of other characteristics.
Nmap also includes a scripting module, so it is not limited to gathering basic information. Aside from network discovery, it can also perform vulnerability and backdoor detection, and even execute exploitations.
Wireshark is essentially the world’s most used network protocol analyzer. It allows for deep inspection of hundreds of protocols and live-traffic capture or offline analysis from a captured file. You can export information in XML, PostScript®, CSV or plain text format. Wireshark is a terrific tool for pentesters gathering and analyzing information.
Metasploit is an amazing tool for penetration testing. In fact, Metasploit is a framework and not a specific application, meaning it is possible to build custom tools for specific tasks. It comes in several versions (both free and paid), available for both Windows and Linux.
Metasploit is quite simple to use and was specifically designed to aid penetration testers. The common steps for exploiting any target are:
- Selecting and configuring the exploit to be targeted
- Selecting and configuring the the payload that will be used
- Selecting and configuring the encoding schema that will be used for trying to evade intrusion detection systems (IPSs)
- Executing the exploit
Nessus is an excellent vulnerability scanner. It provides comprehensive detection, including the ability to identify vulnerabilities, configuration issues and even malware on web applications.
Nessus is fast and accurate, and even though it is not designed for executing exploitations, it can be of terrific value for pentesters during the reconnaissance and scanning phases. It provides detailed target information that can be used by other tools (such as Metasploit) for exploitation.
Burp Suite is an integrated platform used for testing the security of web applications. Its contains several tools that work seamlessly together, supporting the entire testing process.
Burp can perform the initial mapping and analysis of an application’s attack surface, and goes as far as finding and exploiting security vulnerabilities. It contains the following components:
- Intercepting proxy: For inspecting and modifying traffic between your browser and the target application
- Application-aware spider: For crawling content and functionality
- Advanced web application scanner: For automating the detection of numerous types of vulnerabilities
- Intruder tool: For performing powerful customized attacks to find and exploit unusual vulnerabilities
- Repeater tool: For manipulating and resending individual requests
- Sequencer tool: For testing the randomness of session tokens
Burp also allows for the creation of plugins for performing complex and customized tasks. It is easy to use, highly customizable and contains numerous powerful features that can help the most experienced pentesters. In other works, it is an excellent tool for performing web application security assessments.
Nikto is an open source (GPL) web server scanner which performs comprehensive tests for multiple items against web servers.
Nikto can identify over 6,700 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers and scans for version-specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options and will also attempt to identify installed web servers and software.
A word of advice for pentesters: Nikto was not designed with a stealthy approach in mind. It will test a web server in the quickest time possible, and in most situations, it can easily be identified by an IPS/IDS.
Nikto’s primary functions include:
- SSL support
- Full HTTP proxy support
- Checking for outdated server components
- Creating reports in plain text, XML, HTML, NBE or CSV
- Scanning multiple ports on a server, or multiple servers via input file
- Ability to identify installed software via headers, favicons and files
- Host authentication with Basic and NTLM
- Subdomain guessing
- Apache and cgiwrap username enumeration
- Mutation techniques to “fish” for content on web servers
- Scan tuning to include or exclude entire classes of vulnerability checks
- Guessing credentials for authorization realms
- Enhanced false positive reduction via multiple methods
Nikto can also work in combination with Metasploit.
OpenVas (Open Vulnerability Assessment System) is a framework of several services and tools. The core of this SSL-secured, service-oriented architecture is the OpenVAS Scanner, a tool that can be used for executing network vulnerability tests (NVTs), which can be served either via the OpenVAS NVT Feed or by a commercial feed service.
It is a great solution that performs really well and can be used with ease during the scanning phase of a pentest. With a comprehensive list of plugins and very efficient features, it is capable of deeply scanning applications to collect data and responses from the server. This data can then be used by other tools (such as Metasploit) for exploiting web applications.