Penetration testing

Which Weapon Should I Choose for Web Penetration Testing? – First Edition

January 18, 2013 by Dame Jovanoski

Introduction

Here is the first edition of my selection of penetration testing tools for web applications. There will be more editions of this topic so if you have a tool that you have used in performing web penetration testing, you can add its link in the comments and if it’s good I will write a review of it, I promise.

Powerfuzzer

Official web site: http://www.powerfuzzer.com/

License: Open Source (GNU General Public License)

Additional Information: No changes made since 2009

Usage and capabilities:

So the first tool I am going to describe is the Powerfuzzer v1 Beta. The reason why I chose this tool to be the first one is because it’s the simplest tool to use which makes it an excellent tool for starters.

Figure 1. User interface of Powerfuzzer v1 Beta

As you can see, its usage is straight forward. You have the “Target URL” which is the site that will be tested and “Exclude URL/s or dir” which is the part where you can exclude directories or links that you don’t want to be tested like some scripts for deleting users, etc. Then you have the part for “Credentials” if you have some parts of your web application that requires a username, password or a session. “Proxy” is used to make the testing anonymous. Next is the “Timeout” option where you set the timeout between requests. “Verbosity” is the part where you select the “strength” of the testing, like number of requests, tests and etc. According to the official website, this tool detects the following types of vulnerabilities:

  • Injections (SQL, LDAP, code, commands, and XPATH)
  • CRLF
  • HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)

The scan report (the results of the scanning) is displayed as simple as possible like in the following picture. As you can see, if a vulnerability is found, it is described in the following format: “<Type of vulnerability> in <Link> with parameters <Cause for the vulnerability> coming from <Redirected from link>.”

Figure 2.Displaying the results when the scanning is finished

Pros:

  • Very simple usage
  • Pretty powerful for fast testing
  • Doesn’t require any experience for using

Cons:

  • The options are placed randomly across the tool.
  • Report is not very detailed and it doesn’t group the results.
  • The tool hasn’t been updated since 2009.
N-Stalker

  • Official web site: http://www.nstalker.com/
  • License: Enterprise, Infrastructure and Free edition
  • Additional Information: Lots and lots of tools in one

Usage and capabilities:

Figure 3. User interface of N-Stalker

When you see this tool, you can conclude that it is made professionally for professional use. From the main screen, you can see that everything is nicely grouped and organized which makes penetration testing easy even for beginners. Because there are a lot of offered options, I will only explain the parts that look interesting to me such as the scanning process, the policy editor and the report manager.

Figure 4. Selected option from the menu – Policy Editor

I’ll start with the Policy Editor, because before performing a scan, you need to set a Policy with well defined rules. When you start the Policy Editor, you will see a nice tree of rules shown on the left side and its description displayed on the right side.

Figure 5. Options of Policy editor

The description of the current rule is pretty good and detailed and it is composed of: name of the vulnerability, level of severity, vulnerability class, target server, common references, description, solution/fix for the vulnerability and URL references.

Figure 6.Description of a rule

Figure 7. Create, close and save options

When you are finished setting the rules for the policy, you can also give it its own name (usually I name it after the target that I scan).

Figure 7. Create, close and save options

So, the next option that I will explain will be the scanning.When you start the Scan Wizard (you can do that by clicking the top-left button Start), the following screen will appear (Figure 7). Here you can add your application URL then choose the Scan Policy which will define what kind of test you will perform, or you can choose a previous Scan Session. The Load Spider Data option will not be described since it’s not available for the free version of N-Stalker.

After setting up the target, the next step is to Optimize Settings. Here you can find a lot of options where you can customize your scan policy even more. There are options where you can set information about Authentication (if there is any authentication set on your web application), False-Positive mechanism where you can set rules for skipping links that have some file extensions, info pages for displaying status of the web application (like 404, 403 and etc.) or set up a regular expression for a filter. The Engine is an option where you can define the settings for the web spider and Miscellaneous is the part where you set which host is allowed to be scanned or not.

You can try these options by yourself; I will just continue with the optimization, so click Optimize and see what will happen.

Figure 8.Options for the step Optimizing Settings

When you are finished with the optimization proccess, the next step is the summary step, where you can see detailed information about the scan session that will be performed.

Figure 9.Summary of the defined setting for the scan session

When you start with the scanning (you can do that by clicking the button of top-left Start Scan), you will notice that the scanning environment is really something special. That’s because of the Website Tree tab and the Scanner Events tab where every action is nicely grouped and where the directory of the scanned web application can easily be viewed. The Website Tree is the grouping made for the files that the application is composed of (but not all files of the application, because sometimes there could be a scenario where there are defined rules for access restriction). Then there’s the Scanner Events – the event viewer for the results of the scanning and the Scanner Dashboard where you can see the information for a chosen event from the Scanner Events tab.

Figure 10.Performing a scan

When you have finished with the scanning process, the Results Wizard will appear and here you can choose to save or discard the results of the scanning session.

Figure 11.Finishing touch of the scanning process

When you’re finished with the session, open the Report Manager. On the left side on the Available Scan Session tab, choose the report of the scan session that you have saved. Here is my favorite part: right click on the result and choose Technical Report -> Generate PDF. When you have finished generating the PDF, open it and you’ll see that this is an awesome feature of N-Stalker. The report is well organized, very detailed, the results are nicely grouped, and even the scanning policy is part of the report where you can see what rules you have used. That’s all for N-Stalker.

Pros:

  • So many tools
  • Great policy management
  • Detailed and professional report
  • Great community

Cons:

  • Annoying advertising window
  • The interface of N-Stalker is very similar to the software from Microsoft Office.
  • The free version is useless; see the options that are offered in the free version – http://www.nstalker.com/products/compare-editions/security-checks/.
  • The enterprise edition has a very expensive price for unlimited website license – $5,000 (should be named Overpriced Edition).

w3af

  • Official web site: http://w3af.sourceforge.net
  • License: Open Source (GNU General Public License)
  • Additional Information: On the official website, every plugin is described in detail. w00t!
  • Tested version: v1.2 Revision:6647

Usage and capabilities:

The first time you open w3af, you will find it pretty confusing because all the options displayed at the top are icons that do not have text on them to describe what kind of tools they are. With a mouse-over though, you will find the description of these icons but that’s not a pretty good thing to do (especially when you are doing the same thing multiple times). I hope that the developers will change this.

Figure 12.w3af interface

We will begin with the Profiles tab that serves like a policy of rules defined for the scanning. You can create, delete or modify a Profile. The grouping is nicely organized but the title of the profile lacks description.

Figure 13.Grouping of the profiles

When you select a profile, the pair Plugin and Active will notify you which tools and type of tools are selected for the current scanning session. Again the grouping is nicely done, but this tab lacks in description so I am looking forward to the developers to consider improving this.

Figure 14.Scanning options for the profiles

Figure 15. Defining the target that will be scanned

In the Target bar, just input the URL of your web application and click start in order to start the scanning process.

Figure 16. Creating a profile wizard

To create a profile for a scanning session, start the wizard by clicking the first icon on the top bar. To be honest, the wizard is excellent. In the first step, you select what kind of wizard, infrastructure or short,will be used. The next thing is to define the target that will be scanned.

Figure 17. Defining the target

Figure 18. Selecting type of plugin/s

After defining the target’s link, you choose which type of plugins will be included for your scanning sessions.

Figure 19. Selecting type of plugin/s

Figure 20. Naming the profile

The last step is to define the name of the profile (I just skipped some). After you finished creating the profile, start the scanning session and see what will happen.

Figure 21. Display of logs

The log tab is the place where you can view additional information about the current scanning session.

Figure 22. Display of the scanned URLs

In the Results tab, you can view the directory tree of your application which looks pretty awesome.

Figure 23. Exploiting the vulnerabilities found

And the last part is the Exploit tab where you can exploit the vulnerabilities that have been found.

Pros:

  • Clear and concise user guide
  • Lots of plugins
  • On the official web site, every plugin is described in detail.
  • Scanned URLs are nicely displayed.

Cons:

  • Need some time to get used to it
  • Unhandled exception was raised – you will probably find the Bug Detected screen annoying.

Conclusion

You can make a conclusion for a tool after you experienced using it. I hope you liked my selection of tools for penetration testing. I don’t want to offend anybody with this review; it’s just my point of view that every tool could be improved and become even better. Hope you liked my selection of tools and see you in the next edition.

References

Posted: January 18, 2013
Dame Jovanoski
View Profile

Dame Jovanoski is a freelance web developer with an immense enthusiasm in computer security. He has recently been an Openlab Student in CERN working in a project connected with web security. He has been interested in computer security since high school and for the time being he is a researcher/contributor for InfoSec institute. He is also a member of Zero Science Lab, Macedonian company for research and developing web and desktop application exploits.

In this Series
Related Bootcamps
Incident Response