Module 08: Web Application Penetration Testing Methodology 3

Exercise 3: Pentesting Identified Web Applications Vulnerabilities

Scenario

In the previous lab exercise, you have performed web application vulnerability analysis using Vega. In that exercise, the web app scanner discovered two major vulnerabilities - XSS and SQL Injection. When attackers identify such vulnerabilities, they gain access to sensitive information, leading to the data breach.
As a Penetration Tester, you should have knowledge of how to pentest these vulnerabilities and extract sensitive data.
In this lab, you will learn how to:
i. Pentest a cross-site scripting vulnerability using java script
ii. Pentest a SQL injection vulnerability using sqlmap

Lab Duration: 30 Minutes

1. In this task, we are going to perform Cross-Site Scripting attack on www.luxurytreats.com website since we found in the previous exercise that this site possesses XSS vulnerability.
2. Click Kali Linux (External Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
3. Type root in the Username field and click Next.
   
4. Type toor in the password field and click Sign In.
   
5. Launch a web browser, type http://www.luxurytreats.com and press Enterto launch the luxurytreats website as shown in the screenshot.
   
6. Click on the Contact page from the menu (at top-right). Contact page appears as shown in the screenshot.
   
7. Enter any email id in the Email field.
   Type <script>alert("XSS attack")</script> in the Comment field and click Save Comment.
   

   Here, we have used abc@testmail.com as a sample mail ID. You can use any email ID as per your preference.

   
8. A pop-up window appears displaying XSS attack. This proves that the website is vulnerable to XSS attack.
   Click OK and close all the opened windows.
   
9. Comment Successfully Added! will appear displaying the email ID which you have entered in the Email field.
   This suggests that the script has been stored in the backend database and whenever you try to open the Contact page, this script will get executed and the pop-up window displaying XSS attack appears. You can attempt this by reloading the Contact page.
   
10. Close all the opened windows.
11. From our Vega scan in the previous exercise, we have observed that www.luxurytreats.com is vulnerable to SQL Injection attack. Here we are going to attempt SQL Injection attack on the website to extract sensitive information from its database.
    
12. Double-click on SQL Injection Request file on Desktop to open the file.
    
13. SQL Injection Request File opens up as shown in the screenshot.
    
14. Select all the content, right-click on it and click Copy to copy the complete request content. Minimize the text editor after copying.
    
15. Now we shall use sqlmap to extract databases.
    To extract, open a command terminal, type the following command and press Enter.
    sqlmap -u "www.luxurytreats.com" --method POST --data "[Copied POST Request]" --dbs
    
16. sqlmap displays a notification guessing the backend database as Microsoft SQL Server and asks you if you want to skip test payloads specific for other DBMSes.
    Type y and press Enter to skip test payloads specific for other DBMSes.
    
17. Type Y and press Enter to include all the tests for Microsoft SQL Server extending provided level (1) and risk (1) values.
    
18. Type N and press Enter to skip testing the other parameters.
    
19. sqlmap extracts all the databases in the DBMS as shown in the screenshot below.
    In this lab, we shall target the hotel database.
    
20. Type sqlmap -u "www.luxurytreats.com" --method POST --data "[Copied POST request]" -D hotel --tables and press Enter to extract tables in the hotel database.
    
21. The tables in hotel database are extracted as shown in the screenshot. We will use CustomerLogin table and extracts its details in the next step.
    
22. Type sqlmap -u "www.luxurytreats.com" --method POST --data "[Copied POST request]" -D hotel -T CustomerLogin --dump and press Enter to dump all the details of CustomerLoginTable.
    
23. sqlmap displays a notification asking you whether you want to store hashes to a temporary file. Type N and press Enter.
    
24. Type Y and press Enter to crack the hashes via a Dictionary-based attack.
    
25. sqlmap asks you to choose a dictionary. Type 1 and press Enter to choose sqlmap default dictionary file.
    
26. Type N and press Enter if you are prompted regarding common password suffixes as shown in the screenshot.
    
27. The passwords for the respective usernames are cracked as shown in the screenshot.
    The screenshot also displays the columns present in the CustomerLogin table.
    
28. Launch the Firefox web browser and browse http://www.luxurytreats.com website.
    Use username admin and password Passw0rd to log in to the website as shown in the screenshot.
    
29. You will be successfully logged into the website with the cracked credentials.
    
30. Close all the opened windows.

In this lab, you have learned how to pentest XSS and SQL injection vulnerabilities that were discovered by web application vulnerability scanner