11.8 Webserver Pen Testing
Why Webserver Pen Testing?
- Verification of Vulnerabilities: To exploit the vulnerability in order to test and fix the issue.
- Remediation of Vulnerabilities: To retest the solution against vulnerability to ensure that it is completely secure.
- Identification of Web Infrastructure: To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities.
Web Server Penetration Testing
- Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a web server.
- The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
- Webserver penetration testing starts with collecting as much information as possible about an organization ranging from its physical location to operating environment.
- Use social engineering techniques to collect information such as human resources, contact details, etc. that may help in webserver authentication testing.
- Use Whois database query tools to get the details about the target such as domain name, IP address, administrative contacts, Autonomous System Number, DNS, etc.
- Note: Refer Module 02: Footprinting and Reconnaissance for more information gathering techniques.
- Fingerprint web server to gather information such as server name, server type, operating systems, applications running, etc. using tools such as ID Serve, httprecon, and Netcraft.
Use tools such as httprecon, ID Serve
- Crawl website to gather specific types of information from web pages, such as email addresses.
Use tools such as httprint, HTTrack, WebCopier Pro
- Enumerate webserver directories to extract important information such as web functionalities, login forms etc.
Use tools such as DirBuster
- Perform directory traversal attack to access restricted directories and execute commands outside of the web server's root directory.
Use automated tools such as DirBuster
- Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus etc. and determine if the system can be exploited.
- Perform HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.
執行HTTP response splitting攻擊
- Perform web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in cache.
執行web cache poisoning攻擊
- Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access.
- Perform session hijacking to capture valid session cookies and IDs. Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking.
執行session hijacking來取得有效session cookies和IDs。使用工具像是Burp Suite、Hamster或Firesheep等
- Perform MITM attack to access sensitive information by intercepting and altering communications between an end-user and webservers.
- Note: Refer Module 13: Hacking Web Applications for more information on how to conduct web application pen testing.
參考Module 13取得更多關於執行web application滲透測試內容
- Use tools such as Webalizer, AWStats, Ktmatu Relax, etc. to examine web sever logs.
使用如Webalizer、AWStats或Ktmatu Relax來分析web server log檔
- Use tools such as Metasploit, w3af, etc. to exploit frameworks.
Web Server Pen Testing Tools: CORE Impact Pro, Immunity CANVAS and Arachni
- CORE Impact Pro: CORE Impact Pro is the software solution for assessing and testing security vulnerabilities in the organization.
- Immunity CANVAS: CANVAS is an automated exploitation system, and a comprehensive, reliable exploit development framework to security professionals and penetration testers.
- Arachni: Arachni is an open source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.